query mschap with ntlm_auth samba4

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

query mschap with ntlm_auth samba4

Nicolás Lopiano
  Hello! Sorry for the inconvenience.
I have been looking for information for a long time and could not find to
solve the problem I am running into.
My scenario is a vm with freeradius 3.0.17 joined to a samba4 domain with
sssd, samba version 4.9.5-Debian.
I need to get mschap to work via ntlm_auth. When making the query for
ntlm_auth I have no problem and it works. But when making the query using
mschap it gives me the following error:

Wed Apr 7 11:06:35 2021: ERROR: (3) mschap: Program returned code (1) and
output 'The attempted logon is invalid. This is either due to a bad
username or authentication information. (0xc000006d) '
Wed Apr 7 11:06:35 2021: Debug: (3) mschap: External script failed
Wed Apr 7 11:06:35 2021: ERROR: (3) mschap: External script says: The
attempted logon is invalid. This is either due to a bad username or
authentication information. (0xc000006d)
Wed Apr 7 11:06:35 2021: ERROR: (3) mschap: MS-CHAP2-Response is incorrect

Next I copy how I have the config files:

cat /etc/samba/smb.conf
[global]
    workgroup = DOMAIN
    netbios name = RADIUS
    realm = DOMAIN
    security = ads
    password server = DC.DOMAIN
    ntlm auth = mschapv2-and-ntlmv2-only
    winbind use default domain = no

/etc/freeradius/3.0/sites-enabled/default

authorize {
        chap
        mschap
        preprocess
        suffix


        eap {
                ok = return
                updated = return
        }



        ldap
        expiration
        logintime
authenticate {

       Auth-Type MS-CHAP {
              mschap
        }


Auth-Type ntlm_auth {
                ntlm_auth
        }

Auth-Type eap {
      eap {
         handled = 1
      }
      if (handled && (Response-Packet-Type == Access-Challenge)) {
         attr_filter.access_challenge.post-auth
         handled # override the "updated" code from attr_filter
      }
   }


}

/etc/freeradius/3.0/mods-enabled/mschap

mschap {



with_ntdomain_hack = yes

ntlm_auth = "/ usr / bin / ntlm_auth --allow-mschapv2 --request-nt-key
--username =% {% {Stripped-User-Name}: -% {% {User-Name}: - None}} --domain
=% {% {mschap: NT-Domain}: - MYDOMAIN} --challenge =% {% {mschap:
Challenge}: - 00} --nt-response =% {% { mschap: NT-Response}: - 00} "

        pool {
                start = $ {thread [pool] .start_servers}

                min = $ {thread [pool] .min_spare_servers}

                max = $ {thread [pool] .max_servers}

                spare = $ {thread [pool] .max_spare_servers}

                uses = 0

                retry_delay = 30

                lifetime = 86400

                cleanup_interval = 300

                idle_timeout = 600

        }




}



I have tried several clients to check the service. He eapol_test and also
radtest -t mschap.

I can't find what the problem is

any suggestion? Thanks a lot!

Greetings.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: query mschap with ntlm_auth samba4

Alan DeKok-2
On Apr 7, 2021, at 11:42 AM, Nicolás Lopiano <[hidden email]> wrote:
> I have been looking for information for a long time and could not find to
> solve the problem I am running into.
> My scenario is a vm with freeradius 3.0.17 joined to a samba4 domain with
> sssd, samba version 4.9.5-Debian.
> I need to get mschap to work via ntlm_auth. When making the query for
> ntlm_auth I have no problem and it works.

  Doing *what* query with ntlm_auth?  This matters.

  Doing a query with clear-text passwords isn't the same as doing it with MS-CHAP.

> But when making the query using
> mschap it gives me the following error:
>
> Wed Apr 7 11:06:35 2021: ERROR: (3) mschap: Program returned code (1) and
> output 'The attempted logon is invalid. This is either due to a bad
> username or authentication information. (0xc000006d) '
> Wed Apr 7 11:06:35 2021: Debug: (3) mschap: External script failed
> Wed Apr 7 11:06:35 2021: ERROR: (3) mschap: External script says: The
> attempted logon is invalid. This is either due to a bad username or
> authentication information. (0xc000006d)
> Wed Apr 7 11:06:35 2021: ERROR: (3) mschap: MS-CHAP2-Response is incorrect

  That's pretty clear.  The MS-CHAP information isn't being accepted.  Either because it's wrong, or because the user doesn't exist, or MS-CHAP isn't enabled.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html