Trouble authenticating against samba 4 DC

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Trouble authenticating against samba 4 DC

Hugo Thebas
Hello, I've just set up a DC controller using samba 4 on Debian 9 and
FreeRADIUS 3

root@dc:~# samba -V
Version 4.5.8-Debian

root@dc:~# uname -a
Linux dc 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64
GNU/Linux

root@dc:~# freeradius -v
radiusd: FreeRADIUS Version 3.0.12, for host x86_64-pc-linux-gnu, built
on May 30 2017 at 15:18:34

Samba DC is running OK, i can authenticate against it using ntlm_auth

root@dc:~# ntlm_auth --request-nt-key --domain=CCBPINHAIS
--username=teste-login --password=Thebas@1234
NT_STATUS_OK: Success (0x0)

I've followed the setup tutorial at:
http://deployingradius.com/documents/configuration/active_directory.html 
and everything works fine until the part that I setup mschap, the test
using the config "DEFAULT     Auth-Type = ntlm_auth" at users file is
OK, but when I remove the test config and setup mschap I cant
authenticate, I'll post the debug log below and aprreciate if anyone can
help me.

First the output using test config:

root@dc:~# radtest teste-login Thebas@1234 localhost 0 testing123
Sent Access-Request Id 152 from 0.0.0.0:59761 to 127.0.0.1:1812 length 81
     User-Name = "teste-login"
     User-Password = "Thebas@1234"
     NAS-IP-Address = 172.16.100.254
     NAS-Port = 0
     Message-Authenticator = 0x00
     Cleartext-Password = "Thebas@1234"
Received Access-Accept Id 152 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

Now removing the test config and using mschap:

root@dc:~# radtest -t mschap teste-login Thebas@1234 localhost 0 testing123
Sent Access-Request Id 41 from 0.0.0.0:41126 to 127.0.0.1:1812 length 137
     User-Name = "teste-login"
     MS-CHAP-Password = "Thebas@1234"
     NAS-IP-Address = 172.16.100.254
     NAS-Port = 0
     Message-Authenticator = 0x00
     Cleartext-Password = "Thebas@1234"
     MS-CHAP-Challenge = 0x5c2a896e7b319f2f
     MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000073a248201d2f5611be653fd75e48b46b9e08d049cb60122d
Received Access-Reject Id 41 from 127.0.0.1:1812 to 0.0.0.0:0 length 61
     MS-CHAP-Error = "\000E=691 R=1 C=81c1063947fe901b V=2"
(0) -: Expected Access-Accept got Access-Reject


Below is the debug log:

(0) Received Access-Request Id 41 from 127.0.0.1:41126 to 127.0.0.1:1812
length 137
(0)   User-Name = "teste-login"
(0)   NAS-IP-Address = 172.16.100.254
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0x97d3daecfc41cd5c63cca87fcae738c8
(0)   MS-CHAP-Challenge = 0x5c2a896e7b319f2f
(0)   MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000073a248201d2f5611be653fd75e48b46b9e08d049cb60122d
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
-> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "teste-login", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good"
password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) mschap: Client is using MS-CHAPv1 with NT-Password
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-CCBPINHAIS}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(0) mschap: EXPAND --username=%{mschap:User-Name:-None}
(0) mschap:    --> --username=teste-login
(0) mschap: ERROR: No NT-Domain was found in the User-Name
(0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CCBPINHAIS}
(0) mschap:    --> --domain=CCBPINHAIS
(0) mschap: mschap1: 5c
(0) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(0) mschap:    --> --challenge=5c2a896e7b319f2f
(0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(0) mschap:    -->
--nt-response=73a248201d2f5611be653fd75e48b46b9e08d049cb60122d
(0) mschap: ERROR: Program returned code (1) and output 'Logon failure
(0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: Logon failure (0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0)     [mschap] = reject
(0)   } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> teste-login
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 41 from 127.0.0.1:1812 to 127.0.0.1:41126
length 61
(0)   MS-CHAP-Error = "\000E=691 R=1 C=81c1063947fe901b V=2"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 41 with timestamp +4


Stripping the debug log, the error lines are:

(0) mschap: ERROR: No NT-Domain was found in the User-Name
...
0) mschap: ERROR: Program returned code (1) and output 'Logon failure
(0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: Logon failure (0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0)     [mschap] = reject

I think the problem has something about that last error about
MS-CHAP2-Response, but I don't have a clue what it could it be, I also
noticed that radtest sent a MS-CHAPv1 auth request, is it OK?

Thank you very much.




Best Reagrds,
Hugo Thebas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Trouble authenticating against samba 4 DC

Alan DeKok-2
On Aug 3, 2017, at 9:51 PM, Hugo Thebas <[hidden email]> wrote:
>
> I've followed the setup tutorial at: http://deployingradius.com/documents/configuration/active_directory.html and everything works fine until the part that I setup mschap, the test using the config "DEFAULT     Auth-Type = ntlm_auth" at users file is OK, but when I remove the test config and setup mschap I cant authenticate, I'll post the debug log below and aprreciate if anyone can help me.
>
> First the output using test config:
>
> root@dc:~# radtest teste-login Thebas@1234 localhost 0 testing123

  That's good.

> Now removing the test config and using mschap:
>
> root@dc:~# radtest -t mschap teste-login Thebas@1234 localhost 0 testing123
> Sent Access-Request Id 41 from 0.0.0.0:41126 to 127.0.0.1:1812 length 137
>    User-Name = "testa-login"

  Is that a value username / domain at the AD server?
...

> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-CCBPINHAIS} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
> (0) mschap: EXPAND --username=%{mschap:User-Name:-None}
> (0) mschap:    --> --username=teste-login
> (0) mschap: ERROR: No NT-Domain was found in the User-Name
> (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CCBPINHAIS}
> (0) mschap:    --> --domain=CCBPINHAIS
> (0) mschap: mschap1: 5c
> (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
> (0) mschap:    --> --challenge=5c2a896e7b319f2f
> (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
> (0) mschap:    --> --nt-response=73a248201d2f5611be653fd75e48b46b9e08d049cb60122d
> (0) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
> (0) mschap: External script failed

  You can run the ntlm_auth program manually to see what parameters are required.  In this case, it looks like either the username doesn't exist at that domain, or the password is wrong.

  We can'y help you fix those errors.  The purpose of the guide is to take you step by step through the process, so that you can see exactly when it goes form "working" to "not working".  The thing that changes is the source of the problem.

  In this case, AD is returning "logon failure".  That means the user is unknown, or the user is known but the password is wrong.  You need to send FreeRADIUS the correct name / domain / password for it to work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...