search for: chapv2

...Hi,i am not sure if i understand yor needs, but maybe this helps > this links guide you to setup a pptp server an client for linux > http://www.poptop.org/ > http://pptpclient.sourceforge.net/ > there are patches to use smbpasswd to auth > users which are conect via pptpd > and MSCHAPv2 with domain > the pptp client should work for login in ras servers > radius shuold work too ( radius auth to ldap should work ) > good Luck >

On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: > Unfortunately it's still erroring out: > (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk > (7) mschap: Client is using MS-CHAPv2 Is this set as a UPN (with the realm appended) on the user? -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba

Hello all, I was not able to find much on this in the archives so I hope someone can help Me with this. Can samba 3.x help the authentication of a Microsoft client authenticating with MSCHAPv2 passwords to my linux box which we use to authenticate a user stored on a Microsoft Active Directory server. The authentication request comes in through RADIUS which I can convert to LDAP,but that only works with clear passwords to Active Directory. I still need to compete the MSCHAP challeng...

> > It might help if you told us how Extreme advised you to configure it. https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-set-internal-RADIUS-server-on-WiNG-with-LDAP-based-authentication http://www.michaelfmcnamara.com/files/motorola/WING5X_How_To_Active_Directory_Authentication_Rev_B.pdf https://www.manualslib.com/manual/1150860/Motorola-Wing-5-7-1.html

...00000000000000161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, name = "xxxxx"] rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted"] 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted F8673CADD4286B742EF0C39036393650701D0A60 MS-CHAPv2 mutual authentication failed. CHAP authentication failed sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] In other words, the ntlm-auth helper and AD server says OK, but the hashes aren't equal, which causes ppp to say "mutual authentication failed". I...

...t they are now exactly the same as yours except for the "--require-membership-of=example\authorization_groupname" line in ntlm_auth. Unfortunately it's still erroring out: (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=MYDOMAIN --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap: EXPAND --username=%{%{mschap:User-Name}:-00} (7) mschap: --> --use...

...uth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for stevens3 with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: f0 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth -debug=10 --logfile=/tmp --r...

...> > > > On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: > > > > > Unfortunately it's still erroring out: > > > (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk > > > (7) mschap: Client is using MS-CHAPv2 > > > > Is this set as a UPN (with the realm appended) on the user? > > > In my environment (where samba + freeradius + wifi connect with > machine account works), there is no UPN set on the machine account, > just a set of SPNs: > servicePrincipalName: HOST/myhost.e...

...ng to winbindd succeeded # ls -ld /var/lib/samba/winbindd_privileged/ drwxr-x---+ 2 root radiusd 18 Apr 1 21:39 /var/lib/samba/winbindd_privileged/ # ntlm_auth --username=tim.odriscoll Password: : (0x0) Samba's config has this on the member (FR) server and all the DCs: ntlm auth = mschapv2-and-ntlmv2-only But I'm getting this back from FreeRADIUS: (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --allow-mschapv2 --domain...

...t; drwxr-x---+ 2 root radiusd 18 Apr 1 21:39 /var/lib/samba/winbindd_privileged/ > # ntlm_auth --username=tim.odriscoll > Password: > : (0x0) You already did the thing I asked below... > Samba's config has this on the member (FR) server and all the DCs: > ntlm auth = mschapv2-and-ntlmv2-only > > But I'm getting this back from FreeRADIUS: > (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk > (7) mschap: Client is using MS-CHAPv2 > (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} -...

On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: Unfortunately it's still erroring out: (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk (7) mschap: Client is using MS-CHAPv2 > Is this set as a UPN (with the realm appended) on the user? I don't see any UPN's in my AD record, only SPNs - unless I misunderstand you? I've run the 'radtest' client with '-t mschap' and without as parameters. Without '-t mschap' works, but with it fai...

.../var/lib/samba/winbindd_privileged/ > drwxr-x---+ 2 root radiusd 18 Apr 1 21:39 /var/lib/samba/winbindd_privileged/ > # ntlm_auth --username=tim.odriscoll > Password: > : (0x0) > > Samba's config has this on the member (FR) server and all the DCs: > ntlm auth = mschapv2-and-ntlmv2-only > > But I'm getting this back from FreeRADIUS: > (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk > (7) mschap: Client is using MS-CHAPv2 > (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} -...

...etwork trace (and a > description of what it contains, packet by failing packet) to clarify > what is different between this and a test Microsoft AD domain? Just some initial feedback, as I think you may be a little confused by the protocols involved. There isn't a way to validate an MS-CHAPv2 response over Kerberos, the relevant protocol is the SamLogon family of functions over the NETLOGON DCE/RPC pipe which Samba has pretty comprehensive support for. So assuming it uses the normal calls here (and I'll check the logs you sent privately), this is all expected to work. Do make sure...

You could try the setting. ntlm auth = mschapv2-and-ntlmv2-only >From man smb.conf The available settings are: · ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for all clients. · ntlmv2-only (alias no) - Do not allow NTLMv1 to be used, but permit NTLMv2. · mschapv2-and-ntlm...

...wrote: > On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: > > > > > > Unfortunately it's still erroring out: > > (7) mschap: Creating challenge hash with username: host/SL- > > 6S4BBS3.MYDOMAIN.co.uk > > (7) mschap: Client is using MS-CHAPv2 > > > > > Is this set as a UPN (with the realm appended) on the user? > > > > > I don't see any UPN's in my AD record, only SPNs - unless I > misunderstand you? > > > > > > > > > I've run the 'radtest' cl...

...key --username=jdoe --domain=NETWORK --challenge=0a0a0a0a0a0a0a0a --nt-response=0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a Success: Debug: Exec-Program output: NT_KEY: [SNIP] Debug: Exec-Program-Wait: plaintext: NT_KEY: [SNIP] Debug: Exec-Program: returned: 0 Info: [mschap_network] adding MS-CHAPv2 MPPE keys Info: ++[mschap_network] returns ok Failure: Debug: Exec-Program output: Reading winbind reply failed! (0xc0000001) Debug: Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Debug: Exec-Program: returned: 1 Info: [mschap_network] External script failed. Info: [mscha...

...--without-rlm_krb5 > > make > > make install > > modcall: entering group Auth-Type for request 6 > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for host/IS--000031176 with > NT-Password > radius_xlat: Running registered xlat function of module mschap for > string 'User-Name' > radius_xlat: Running registered xlat function of module mschap for > string 'Challenge' > mschap2: d3 > radius_xlat: Running re...