RE: freeradius + ntlm_auth, broken? SOLVED!

2012-03-10 Thread Andres Septer 

So I finally got the idea, whats wrong. Tehre were missing premissions.
I tried to run ntlm_auth under radiusd user and got same error as in logs. 
 Reading winbind reply failed! (0xc001)
Adding rediusd to winbind group solved the problem.

A.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius + ntlm_auth, broken?

2012-03-10 Thread Andres Septer 

OK, I found out at least one mistake I made: when using command line, grabbed 
from strace output I forgot to remove commas:
SO, this line gives 

/usr/bin/ntlm_auth "--request-nt-key", "--username=freeradius.test", 
"--domain=LOCAL", "--challenge=0x7c68b9721c3a0b46", 
"--nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a"
Logon failure (0xc06d)

And corrected command line gives

/usr/bin/ntlm_auth --request-nt-key --username=freeradius.test --domain=LOCAL 
--challenge=0x7c68b9721c3a0b46 
--nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a
NT_KEY: 9BBCFC30D5E235BBEC00B013372B14E4

Whitch is, I suppose, correct answer. 
Why it does not work inside freeradius still remains mystery to me.

A.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius + ntlm_auth, broken?

2012-03-10 Thread Andres Septer 

> which version of samba are you running?  versions 3.2 - 3.5 have b0rked 
> return things -
> fixed in latest 3.6 - on the command line things work okay but when a program 
> is using the
> return values they are wrong  (or something to that affect. cant recall all 
> the details
> but the recomendation is 3.0.x (RHEL5 classic) or 3.6 (new distro).  the 
> mailing list
> logs are filled with previous discussion.

I have samba 3.6.1 

I would like to read previous discussions but google search return broken links 
(404). 
https://www.google.com/search?q=ntlm_auth%20site%3Ahttp%3A%2F%2Flists.freeradius.org%2Fpipermail%2Ffreeradius-users%2F&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:et:official&client=firefox-a&source=hp&channel=np

A.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ntlm_auth, broken?

2012-03-09 Thread Phil Mayers 

On 03/08/2012 05:09 PM, Andres Septer wrote:



Check the winbind log files,


Did that already. Nothing interesting there, only lines like
[2012/03/08 14:32:17.115991,  3] 
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
   [25675]: request location of privileged pipe
[2012/03/08 14:32:17.117136,  6] 
winbindd/winbindd.c:840(winbind_client_request_read)
   closing socket 26, client exited


and perhaps try using "strace -f -p  -o log" to
watch process execution.


I already did that to get the command line. When I run that line manually I get
"login failed". T try to figure out how to capture actual ntlm_auth output from 
within
freerad process. Also, where freeradd gets the values for parameters
  MS-CHAP-Challenge = 0xd50bd065d4215da9
 MS-CHAP-Response = 
0x00011e7c77d05691cb2822a6670bf0b458e251c4ef170a2c2fff
?
Those seem to be wrong. When I use them manually from command line I get "login 
failed"


If you mean you're taking the value of the challenge & response and 
passing them straight to ntlm_auth, you can't do that; it doesn't work. 
There is intermediate processing that is done before calling ntlm_auth.


Maybe the client is broken, but maybe not. What is the client?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ntlm_auth, broken?

2012-03-08 Thread Alan Buxey 
Hi,
> 
> > Check the winbind log files, 
> 
> Did that already. Nothing interesting there, only lines like
> [2012/03/08 14:32:17.115991,  3] 
> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
>   [25675]: request location of privileged pipe
> [2012/03/08 14:32:17.117136,  6] 
> winbindd/winbindd.c:840(winbind_client_request_read)
>   closing socket 26, client exited
> 
> > and perhaps try using "strace -f -p  -o log" to 
> > watch process execution.
> 
> I already did that to get the command line. When I run that line manually I 
> get 
> "login failed". T try to figure out how to capture actual ntlm_auth output 
> from within 
> freerad process. Also, where freeradd gets the values for parameters
>  MS-CHAP-Challenge = 0xd50bd065d4215da9
> MS-CHAP-Response = 
> 0x00011e7c77d05691cb2822a6670bf0b458e251c4ef170a2c2fff
> ?
> Those seem to be wrong. When I use them manually from command line I get 
> "login failed"

which version of samba are you running?  versions 3.2 - 3.5 have b0rked return 
things -
fixed in latest 3.6 - on the command line things work okay but when a program 
is using the
return values they are wrong  (or something to that affect. cant recall all the 
details
but the recomendation is 3.0.x (RHEL5 classic) or 3.6 (new distro).  the 
mailing list
logs are filled with previous discussion.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius + ntlm_auth, broken?

2012-03-08 Thread Andres Septer 

> Check the winbind log files, 

Did that already. Nothing interesting there, only lines like
[2012/03/08 14:32:17.115991,  3] 
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
  [25675]: request location of privileged pipe
[2012/03/08 14:32:17.117136,  6] 
winbindd/winbindd.c:840(winbind_client_request_read)
  closing socket 26, client exited

> and perhaps try using "strace -f -p  -o log" to 
> watch process execution.

I already did that to get the command line. When I run that line manually I get 
"login failed". T try to figure out how to capture actual ntlm_auth output from 
within 
freerad process. Also, where freeradd gets the values for parameters
 MS-CHAP-Challenge = 0xd50bd065d4215da9
MS-CHAP-Response = 
0x00011e7c77d05691cb2822a6670bf0b458e251c4ef170a2c2fff
?
Those seem to be wrong. When I use them manually from command line I get "login 
failed"

A.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ntlm_auth, broken?

2012-03-08 Thread Phil Mayers 

On 08/03/12 11:56, Andres Septer wrote:


--nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a
Thu Mar 8 13:42:03 2012 : Debug: Exec-Program output: Reading winbind
reply failed! (0xc001)


Weird. It looks a bit like ntlm_auth failed completely here.

Check for permissions, SELinux settings, and so on. Check the winbind 
log files, and perhaps try using "strace -f -p  -o log" to 
watch process execution.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius & ntlm_auth

2005-04-22 Thread Sylvain Clerc 
I finally resolve this problem by deleting the mschap section and
rewrite it. I don't understand why but it works !!

Thank you for your help :)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius & ntlm_auth

2005-04-21 Thread Sylvain Clerc 
On 4/21/05, Luis Daniel Lucio Quiroz <[EMAIL PROTECTED]> wrote:
> I have just configured freeradius with ntlm, but I dont understand your
> problem, Can I help  you?

I've just find the real problem  I'm stupid, I don't think to read
the log of the server when it boots before but I find that the server
doesn't take care of what I put in the mschap section, for example :

my ms-chap module :

mschap {
   authtype = MS-CHAP
   use_mppe = yes
   require_encryption = yes
   require_strong = yes
   with_ntdomain_hack = yes
   ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
   --username=%{Stripped-User-Name:-%{User-Name:-None}}
   --domain=mslab
   --challenge=%{mschap:Challenge:-00}
   --nt-response=%{mschap:NT-Response:-00}"
   }

and when I read the server logs : 

Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)

In fact, I can write everything in my mschap module, nothing is
applied whereas the other section works normally !!!

If you have an idea about the problem, please tell me because I don't
know what I can do to stop it.

Thanks.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius & ntlm_auth

2005-04-21 Thread Luis Daniel Lucio Quiroz 
I have just configured freeradius with ntlm, but I dont understand your 
problem, Can I help  you?

Le Jeudi 21 Avril 2005 12:22, Alan DeKok a écrit :
> Sylvain Clerc <[EMAIL PROTECTED]> wrote:
> > So, I read all of the debugging output and I find that mschap failed
> > to find a nt/lm password and stop the real authentication at this
> > moment.
>
>   Yes, but it also failed to find a User-Password.
>
>   If you don't tell the server what password to use for
> authentication, it can't authenticate the user.
>
>   For some reason, it's not running ntlm_auth.  I don't know why.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius & ntlm_auth

2005-04-21 Thread Alan DeKok 
Sylvain Clerc <[EMAIL PROTECTED]> wrote:
> So, I read all of the debugging output and I find that mschap failed
> to find a nt/lm password and stop the real authentication at this
> moment.

  Yes, but it also failed to find a User-Password.

  If you don't tell the server what password to use for
authentication, it can't authenticate the user.

  For some reason, it's not running ntlm_auth.  I don't know why.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius & ntlm_auth

2005-04-20 Thread Sylvain Clerc 
So, I read all of the debugging output and I find that mschap failed
to find a nt/lm password and stop the real authentication at this
moment.

Can you know what is the problem? I think freeradius can't find active
directory but it works when I only use the ntlm_auth command so I
don't understand.


I put my mschap section and a part of the freeradius logs if it can help you.

mschap {
authtype = MS-CHAP
#use_mppe = no
#require_encryption = yes
#require_strong = yes
#with_ntdomain_hack = no
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{Stripped-User-Name:-%{User-Name:-None}} 
--domain=mslab 
--challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00}"
}


  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 236
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for clerk with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius & ntlm_auth

2005-04-19 Thread Alan DeKok 
Sylvain Clerc <[EMAIL PROTECTED]> wrote:
> //The problem is here, if the user is in the users file, the following
> line is "Success" but here...
> rlm_eap_peap: Had sent TLV failure, rejecting.

  Please read ALL of the debugging output.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html