I am trying to get FreeRADIUS using Samba's ntlm auth for MSCHAPv2
authentication.
I asked this question over on the FreeRADIUS list, and I think the stunned
silence means that the folks over there think you guys in the Samba world may be
able to help better.
I admit it's been a few years since I did any Samba!
I have joined my two RADIUS servers (FreeRADIUS 2.0.2, Solaris 10 x86, Sun's
winbindd 3.0.25a) to our AD domain with the "net join" command. This
worked (eventually!).
Now when I test "ntlm_auth" I get the following odd goings on:
Scenario A: Works
Type: ntlm_auth --username=USER --password=PASSWORD --domain=DOMAIN
Result: NT_STATUS_OK: Success (0x0)
Scenario B: FAILS
Type: ntlm_auth --username=USER --domain=DOMAIN
password: <PASSWORD>
Result: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
What's different about the password handling between A and B?
The upshot is that the command issued by FreeRADIUS:
ntlm_auth = "/usr/sfw/bin/ntlm_auth --request-nt-key --username=
%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --
nt-response=%{mschap:NT-Response:-00}"
the %{} bits become a basic domain free user name, eg "user", and some
long Hex strings...
Also fails.
So my MSCHAPv2 auth is now broken.
This worked with our Test AD environment fine. I am told the only difference
between test/production is:
1) Production is in "native mode"
2) Production supports logins using both "USER\livad.liv.ac.uk" and
"USER@liverpool.ac.uk" forms.
Thanks in advance.
---------------
Barry Dean
Networks Team