Sorry for the individual emails, but I got things working with MSCHAP (w/ ntlm_auth) and WPA-EAP. My issue was that when I got the two winbind errors, I did some more searching and there's the potential that the freerad user did not have access to pipe named: /var/run/samba/winbindd That pipe is owned as follows:
drwxr-x--- 2 root winbindd_priv 60 Aug 22 11:15 winbindd_privileged/ That being the case, you need to add the user freerad to that group, so it can execute with the right privileges. Sending Access-Request of id 52 to 127.0.0.1 port 1812 User-Name = "wyse1" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 MS-CHAP-Challenge = 0xf38d9f1a3dcb27e9 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000941d3ff95601f8f335e7eff7c97e1abf28df15abd28b7fda rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=52, length=84 MS-CHAP-MPPE-Keys = 0x0000000000000000d22b3a1df401aa61a721c8a31ba910820000000000000000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 Now, is it safe to disable modules (by commenting them out of the sites-enabled files) that aren't related to the MSCHAP process? This is just in passing curiosity. On Aug 22, 2013, at 10:14 AM, Chris Parker <cparke...@me.com> wrote: > Thank you for setting me on the right track; I have followed the directions > on http://deployingradius.com/documents/configuration/active_directory.html > (the bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as > per those directions. > When I run the ntlm_auth command manually, it works find / as does running > wbinfo -a > > root@leopard:/etc/freeradius# wbinfo -a wyse1%K503D > plaintext password authentication succeeded > challenge/response password authentication succeeded > > > Ready to process requests. > rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111, > length=113 > User-Name = "wyse1" > NAS-IP-Address = 127.0.1.1 > NAS-Port = 1812 > MS-CHAP-Challenge = 0xe07a375bed09f1f7 > MS-CHAP-Response = > 0x0001000000000000000000000000000000000000000000000000065b157b183b4d29d455414b184c57af4912b1d74f4ed726 > # Executing section authorize from file /etc/freeradius/sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' > ++[mschap] returns ok > ++[digest] returns noop > [suffix] No '@' in User-Name = "wyse1", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > ++[files] returns noop > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. > ++[pap] returns noop > Found Auth-Type = MSCHAP > # Executing group from file /etc/freeradius/sites-enabled/default > +- entering group MS-CHAP {...} > [mschap] Told to do MS-CHAPv1 with NT-Password > [mschap] expand: %{Stripped-User-Name} -> > [mschap] ... expanding second conditional > [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" > for details > [mschap] expand: %{User-Name:-None} -> wyse1 > [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} > -> --username=wyse1 > [mschap] mschap1: e0 > [mschap] expand: --challenge=%{mschap:Challenge:-00} -> > --challenge=e07a375bed09f1f7 > [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> > --nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726 > Exec-Program output: Reading winbind reply failed! (0xc0000001) > Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) > Exec-Program: returned: 1 > [mschap] External script failed. > [mschap] MS-CHAP-Response is incorrect. > ++[mschap] returns reject > Failed to authenticate the user. > Login incorrect (mschap: External script says Reading winbind reply failed! > (0xc0000001)): [wyse1/<via Auth-Type = mschap>] (from client localhost port > 1812) > Using Post-Auth-Type Reject > # Executing group from file /etc/freeradius/sites-enabled/default > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> wyse1 > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 0 for 1 seconds > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 0 > Sending Access-Reject of id 111 to 127.0.0.1 port 60046 > Waking up in 4.9 seconds. > Cleaning up request 0 ID 111 with timestamp +15 > Ready to process requests. > > On Aug 22, 2013, at 5:50 AM, Phil Mayers <p.may...@imperial.ac.uk> wrote: > >> On 21/08/13 23:44, Chris Parker wrote: >>> Okay, pardon my confusion then. I had been following a howto online >>> and it reported that the command when run manually will produce the >>> key. >>> >>> Either way, I'm still having a failure in MSCHAP with radtest that >>> I'm not quite grasping. >> >> Well, as I explained in my other email, mschap == challenge/response, >> "modules/ntlm_auth" != challenge/response. >> >> To reiterate, "modules/ntlm_auth" is almost certainly not what you want, and >> is not intended to be used as-is. I would unconfigure it and concentrate on >> getting "modules/mschap" working. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html