FreeRadius with Samba 4 using NTLM

1

I was following this tutorial: http://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto to setup AD integration but I am still experiencing problem with FreeRadius.

When I use

radtest -t mschap "username" "password" localhost 1812 testing123 

it returns:

Received Access-Reject Id 250 from 127.0.0.1:1812 to 127.0.0.1:59482 length 38
        MS-CHAP-Error = '\000E=691 R=1'
(0) -: Expected Access-Accept got Access-Reject

Anyway when I try(NTLM String should be correct):

sudo -u radiusd ntlm_auth --username="MyUserName" --request-nt-key
Password:
NT_STATUS_OK: Success (0x0)

When I start radiusd -X I can see errors:

(1)  mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
(1)  mschap :    --> --challenge=4052dcf90b2dec2c
(1)  mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(1)  mschap :    --> --nt-response=617c94e4b57451ef769181355abf9a297ba5bb05d1938891
Program returned code (1) and output 'Logon failure (0xc000006d)'
(1)  mschap : External script failed
(1)  ERROR: mschap : External script says: Logon failure (0xc000006d)
(1)  ERROR: mschap : MS-CHAP-Response is incorrect
(1)   [mschap] = reject
(1)  } # Auth-Type MS-CHAP = reject
(1) Failed to authenticate the user

But I was not able to find any solutions. Any idea how to debug this or what could be wrong?

ntlm
samba
freeradius
asked on Stack Overflow Sep 11, 2017 by Adam Drabek • edited Sep 11, 2017 by piet.t

1 Answer

0

the 'return code' (0xc000006d) indicate that the ntlm_auth script don't authenticate the provided credentials and exit with code 1. So, I would try to 'hard code' the ntlm_auth in the mods-available/mschap with your control items and add item by item. E.g.:

ntlm_auth = 'ntlm_auth --username="MyUserName" --request-nt-key --password="MyUserPassword"'

Hope that helps.

answered on Stack Overflow Sep 11, 2017 by Michel Smidt

User contributions licensed under CC BY-SA 3.0