I'm trying to move my freeradius server from debian jessie (freeradius
2.2.5+dfsg-0.2+deb8u1
and samba 4.2.14+dfsg-0+deb8u9) in a NT like domain to a new stretch
server (freeradius 3.0.12+dfsg-5+deb9u1 and samba 4.8.5+mnu-1~deb9,
louis packages). Many things changed.
I've followed (also):
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
and added in /etc/samba/smb.conf
ntlm auth = mschapv2-and-ntlmv2-only
first note: the server that run freeradius is a domain member, not a DC.
'ntlm auth = mschapv2-and-ntlmv2-only' have to be added to DC(s)? To the
server that run freeradius (DC or DM)? It is not clear...
Anyway i've tried both with:
winbind_username = "%{%{mschap:User-Name}:-00}"
winbind_domain = "LNFFVG"
and i got 'password expired' (and it is not the case):
rlm_mschap (mschap): Reserved connection (1)
(19) mschap: sending authentication request user='gaio'
domain='LNFFVG'
rlm_mschap (mschap): Released connection (1)
rlm_mschap (mschap): Need 4 more connections to reach 10 spares
rlm_mschap (mschap): Opening additional connection (6), 1 of 26 pending slots
used
(19) mschap: ERROR: When trying to update a password, this return status
indicates that the value provided as the current password is not correct.
[0xC000006A]
(19) mschap: ERROR: Password has expired. User should retry authentication
(19) [mschap] = reject
(19) } # authenticate = reject
(19) MSCHAP-Error: ?E=648 R=0 C=fa3be054eae16e879474da85edc05e2b V=3 M=Password
expired
(19) Found new challenge from MS-CHAP-Error: err=648 retry=0
challenge=fa3be054eae16e879474da85edc05e2b
(19) ERROR: MSCHAP Failure
while if i try with:
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
--domain=LNFFVG --username=%{mschap:User-Name:-None}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
i got auth error:
(9) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(9) mschap: External script failed
(9) mschap: ERROR: External script says: The attempted logon is invalid. This
is either due to a bad username or authentication information. (0xc000006d)
(9) mschap: ERROR: MS-CHAP2-Response is incorrect
(9) [mschap] = reject
(9) } # authenticate = reject
(9) MSCHAP-Error: ?E=691 R=1 C=290c594e6aefd7535b4ef40dfee2b792 V=3
M=Authentication failed
(9) Found new challenge from MS-CHAP-Error: err=691 retry=1
challenge=290c594e6aefd7535b4ef40dfee2b792
(9) ERROR: MSCHAP Failure
Someone have some hints? Thanks.
PS: on the same server i've Squid, and authentication works perfectly
with 'ntlm_auth'...
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)