RE: Ntlm_auth how-to
I still can't get this to work... After configuring samba, I get ntlm_auth to work manually: [EMAIL PROTECTED] raddb]# ntlm_auth --username=og4 --request-nt-key --domain=AALESUND password: NT_STATUS_OK: Success (0x0) But it still does not work via radius: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=AALESUND\\OG4 --challenge=ca836119d50fefab --nt-response=81c243a7096b1aea98ebf7c171df2d842daf37d69868d220 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 I can't figure out what's wrong, so I'm attaching both my radius.conf and the radiusd debug/log file if anyone please could take a look at it? Thanks, Øystein -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: 5. oktober 2004 16:13 To: [EMAIL PROTECTED] Subject: Re: Ntlm_auth how-to =?iso-8859-1?Q?=D8ystein_G=E5sdal?= [EMAIL PROTECTED] wrote: Which brings me back to one of my questions: how on earth does ntlm_auth (or the machine it is running on) know where the nt4 domain is? Please consult the ntlm_auth documentation to discover how to get it working from the command line. Once that's set up, it will work from FreeRADIUS. There must be lots of people out there with ntlm_auth and freeradius working... What did you do? Followed the ntlm_auth documentation. It's not included with FreeRADIUS, because ntlm_auth isn't included with FreeRADIUS. Error 1: rlm_realm: Looking up realm AALESUND for User-Name =3D AALESUND\OG4 rlm_realm: No such realm AALESUND Does this break anything? If not, it's not an error. Error2: Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 19 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for OG4 with NT-Password radius_xlat: Running registered xlat function of module mschap for = string 'Challenge' mschap2: b9 If you're using ntlm_auth, I don't see any errors there. Is this something to worry about, or is it connected with the ntlm_auth problem? It's just the server telling you what it's doing. If those messages were errors, then the words error or fail would probably appear in them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html radiusfiles.rar Description: Binary data
Re: Ntlm_auth how-to
=?iso-8859-1?Q?=D8ystein_G=E5sdal?= [EMAIL PROTECTED] wrote:
I still can't get this to work...
After configuring samba, I get ntlm_auth to work manually:
Ok...
But it still does not work via radius:
Yup.
I can't figure out what's wrong
Look at the arguments to the two ntlm_auth commands. They're
different. I'll bet that if you made them look the same, then it
would work with FreeRADIUS.
Try:
ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{mschap:User-Name}
--domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
so I'm attaching both my radius.conf and the radiusd debug/log file
...
filename=radiusfiles.rar
In a format that few people can use. Plain text would be better.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ntlm_auth how-to
Both in the debug file and when I try manually I get this error: From radiusd debug: radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --domain=AALESUND --username=AALESUND\\OG4 --challenge=0d5109a4fd1785c4 --nt-response=a3bf79e07e7fd33d61679996592e2feeffa67b089d394dac' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=AALESUND --username=AALESUND\\OG4 --challenge=0d5109a4fd1785c4 --nt-response=a3bf79e07e7fd33d61679996592e2feeffa67b089d394dac Exec-Program output: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da) Exec-Program-Wait: plaintext: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da) And manually: [EMAIL PROTECTED] root]# ntlm_auth --username=AALESUND\OG4 --domain=AALESUND --request-nt-key password: NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da) Which brings me back to one of my questions: how on earth does ntlm_auth (or the machine it is running on) know where the nt4 domain is? The only thing that is indicated is what the domain is called, not where it is. Where should ntlm_auth send it's requests? There must be lots of people out there with ntlm_auth and freeradius working... What did you do? But I have to more errors in the debug that I can't understand.. Maybe someone can explain: Error 1: rlm_realm: Looking up realm AALESUND for User-Name = AALESUND\OG4 rlm_realm: No such realm AALESUND Error2: Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 19 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for OG4 with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: b9 Is this something to worry about, or is it connected with the ntlm_auth problem? Thanks! Øystein Gåsdal Norway The freeradius server is not on the same subnet as the domain controller (NT4), and neither are my clients, and the clients locate the domain controller via WINS. So? Can the machine running FreeRADIUS send packets to the domain controller? Get ntlm_auth working on the command line, by hand, from the machine running FreeRADIUS. Once that works, it will work in FreeRADIUS, too. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ntlm_auth how-to
=?iso-8859-1?Q?=D8ystein_G=E5sdal?= [EMAIL PROTECTED] wrote: Which brings me back to one of my questions: how on earth does ntlm_auth (or the machine it is running on) know where the nt4 domain is? Please consult the ntlm_auth documentation to discover how to get it working from the command line. Once that's set up, it will work from FreeRADIUS. There must be lots of people out there with ntlm_auth and freeradius working... What did you do? Followed the ntlm_auth documentation. It's not included with FreeRADIUS, because ntlm_auth isn't included with FreeRADIUS. Error 1: rlm_realm: Looking up realm AALESUND for User-Name =3D AALESUND\OG4 rlm_realm: No such realm AALESUND Does this break anything? If not, it's not an error. Error2: Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 19 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for OG4 with NT-Password radius_xlat: Running registered xlat function of module mschap for = string 'Challenge' mschap2: b9 If you're using ntlm_auth, I don't see any errors there. Is this something to worry about, or is it connected with the ntlm_auth problem? It's just the server telling you what it's doing. If those messages were errors, then the words error or fail would probably appear in them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ntlm_auth how-to
Does this mean I don't have to edit the config files for winbindd and nmbd? The freeradius server is not on the same subnet as the domain controller (NT4), and neither are my clients, and the clients locate the domain controller via WINS. Don't I need to configure the freeradius server with WINS too, then? Thanks, Øystein Gåsdal -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: 1. oktober 2004 16:38 To: [EMAIL PROTECTED] Subject: Re: Ntlm_auth how-to =?iso-8859-1?Q?=D8ystein_G=E5sdal?= [EMAIL PROTECTED] wrote: Anybody got a step by step guide how to set up freeradius to work with authentication against a nt-domain? raddb/radiusd.conf, see ntlm_auth. Or, if your users are only using PAP passwords, not MS-CHAP, see rlm_smb, and experimental.conf. It should take only a few minutes to set up rlm_smb, it's pretty simple. It seems to me that it should be enough just to un-comment a few lines = in radiusd.conf, and provide the domain name, but how does the freeradius server know *where* to find the domain, for example? It's often in the User-Name attribute. I will provide debug logs and everything i anyone is willing to help (or maybe anyone has already written a guide for this? :) There are very few guides for the server. Most configuration is documented in the configuration files, leaving the administrator to figure it out for himself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ntlm_auth how-to
=?iso-8859-1?Q?=D8ystein_G=E5sdal?= [EMAIL PROTECTED] wrote: Does this mean I don't have to edit the config files for winbindd and nmbd? I have no idea. The freeradius server is not on the same subnet as the domain controller (NT4), and neither are my clients, and the clients locate the domain controller via WINS. So? Can the machine running FreeRADIUS send packets to the domain controller? Get ntlm_auth working on the command line, by hand, from the machine running FreeRADIUS. Once that works, it will work in FreeRADIUS, too. Don't I need to configure the freeradius server with WINS too, then? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ntlm_auth how-to
Anybody got a step by step guide how to set up freeradius to work with authentication against a nt-domain? I have set up freeradius to work with authentication agains the users file, and that works fine, but now I wanted to test it against a NT-domain (that's what I really need it for) It seems to me that it should be enough just to un-comment a few lines in radiusd.conf, and provide the domain name, but how does the freeradius server know *where* to find the domain, for example? I will provide debug logs and everything i anyone is willing to help (or maybe anyone has already written a guide for this? :) Thanks, Øystein Gåsdal Norway - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ntlm_auth how-to
=?iso-8859-1?Q?=D8ystein_G=E5sdal?= [EMAIL PROTECTED] wrote: Anybody got a step by step guide how to set up freeradius to work with authentication against a nt-domain? raddb/radiusd.conf, see ntlm_auth. Or, if your users are only using PAP passwords, not MS-CHAP, see rlm_smb, and experimental.conf. It should take only a few minutes to set up rlm_smb, it's pretty simple. It seems to me that it should be enough just to un-comment a few lines = in radiusd.conf, and provide the domain name, but how does the freeradius server know *where* to find the domain, for example? It's often in the User-Name attribute. I will provide debug logs and everything i anyone is willing to help (or maybe anyone has already written a guide for this? :) There are very few guides for the server. Most configuration is documented in the configuration files, leaving the administrator to figure it out for himself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
