Joy Veronneau wrote:
> Hi,
> I am stumped! I have implemented samba and MSCHAPv2 and everything works when
> running as user root. (Winbindd and radiator running as root.) But I need to
> run the radiator process as user "radiator". I also had to install samba in
> an alternate directory.
>
> So ? when running radiator and winbindd as "root" everything works including
> ntlm_auth from command line and also MSCHAPv2 connections through radiator.
> When running radiator and winbindd as user "radiator" ntlm_auth from command
> line works but MCHAPv2 connection through radiator fails. The log file looks
> like this:
>
...
> Mon Oct 31 10:50:03 2011: INFO: Starting NtlmAuthProg:
> /app/radius/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1
...
> As user radiator, this works:
>
> /app/radius/samba/bin/ntlm_auth --request-nt-key --domain=CORNELL
> --username=jv11 --password=xxxxxxxxxx
I had exactly the same problem when I first set up radiator. The gotcha is
that for some reason ntlm_auth actually requires more special permissions to
run with --helper-protocol=ntlm-server-1 than it does to do a simple auth check
from the command line.
The best way to troubleshoot this is to invoke ntlm_auth from the command line
in the same way that Radiator actually invokes it to do MS-CHAPv2.
For example, run
ntlm_auth --helper-protocol=ntlm-server-1
And then paste as input:
Username: yourusernamehere
NT-Domain: YOURDOMAINHERE
LANMAN-Challenge: 0102030405060708
NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
.
(the dot on a line by itself followed by another newline tells the helper
protocol that you're done entering attributes)
The desired output of this test, since the NT-Response value is completely
bogus, is:
Authenticated: No
Authentication-Error: Wrong Password
What it said for me instead, the first time I tried it, was:
Authenticated: No
Authentication-Error: winbind client not authorized to use
winbindd_pam_auth_crap. Ensure permissions on
/var/cache/samba/winbindd_privileged are set correctly.
which pointed me to the problem. The solution that worked for me was to change
the group ownership of this directory (which will of course be in a different
location for you):
chgrp radiator /var/cache/samba/winbindd_privileged
Note that (at least as of v3.0.33), samba is apparently very picky about this
directory's permissions; changing the group is okay, but it must be owned by
root and chmod 750 (drwxr-x---) in order to work.
Finally, I've attached a perl script I wrote that performs this same test using
a *working* input file stored on disk (generated by running it once with
--create and giving it a real username and password); you'll probably want to
change the hardcoded location of this file ($queryfile) to make sense for your
system. On my radius servers I have a cron task which runs this script with -q
every few minutes and automatically restarts winbind if it ever fails. :)
Hope this helps!
David
P.S. Caveat: I'm running radiator as a regular user, but I'm running winbind
as root (launched via sudo). It sounds like you're trying to avoid even that,
so the chgrp may not be enough to solve your problem, but if not then hopefully
my troubleshooting approach will still get you closer to understanding what's
wrong.
#!/usr/bin/perl
use warnings;
use strict;
sub usage {
print STDERR <<EOF;
$0 [options]
Tests that full MSCHAP authentication vs AD (using the secure pipe) is working
properly.
-q quiet mode test, only print errors
--create
Generates the query file to be used for future runs
Any additional arguments following '--' will be passed directly to ntlm_auth.
Example:
$0 -q -- --require-membership-of='DOMAIN\\Group Name'
EOF
exit 1;
}
use Authen::Perl::NTLM;
my $queryfile = "/services/cites-radius/etc/private/ntlmtest.query";
# 8 byte (16 hex digit) challenge for generating query files
my $challenge = '0000000000000000';
use Getopt::Long;
my ($QUIET, $CREATE, $USAGE);
&GetOptions(
"q" => \$QUIET,
"create" => \$CREATE,
"help" => \$USAGE)
or $USAGE = 1;
usage() if $USAGE;
my $VERBOSE = !$QUIET;
## create
if ($CREATE) {
my ($USERNAME, $DOMAIN, $PASSWORD);
# Prompt for username and password
do {
print STDERR "Enter AD account username (no domain or realm) to probe: ";
chomp($USERNAME = <STDIN>);
print STDERR "Enter domain: ";
chomp($DOMAIN = <STDIN>);
system "stty -echo";
print STDERR "Enter password for $DOMAIN\\$USERNAME: ";
chomp($PASSWORD = <STDIN>);
print STDERR "\n";
system "stty echo";
} until $USERNAME and $DOMAIN and $PASSWORD;
# Do the math
my $nonce = pack('H16',$challenge);
my $nt_pwhash = Authen::Perl::NTLM::nt_hash($PASSWORD);
my $nt_resp = Authen::Perl::NTLM::calc_resp($nt_pwhash, $nonce);
# Write the query file
open (my $queryfh, '>', $queryfile)
or die "failed to open $queryfile for writing";
print $queryfh "Username: $USERNAME\n";
print $queryfh "NT-Domain: $DOMAIN\n";
print $queryfh "LANMAN-Challenge: ".unpack('H*',$nonce)."\n";
print $queryfh "NT-Response: ".unpack('H*',$nt_resp)."\n";
print $queryfh ".\n";
close $queryfh
or die "failed to close $queryfile for writing";
}
## test
my $extra_args = join(' ', map { "'$_'" } @ARGV);
my $cmd = "ntlm_auth --helper-protocol=ntlm-server-1 $extra_args < $queryfile";
if ($VERBOSE) {
print "Invoking $cmd\n\n-- Contents of query file --\n".`cat $queryfile`."--
Output --\n";
}
open (my $outfh, "$cmd |");
my $success = 0;
while (<$outfh>) {
print $_ if /Error/ or $VERBOSE;
$success = 1 if /Authenticated: Yes/;
}
print "-- Done --\n" if $VERBOSE;
close $outfh or die "ntlm_auth failed: $! $?";
die "NTLM authentication test failed\n" unless $success;
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
