He estado luchando con esto durante aproximadamente una semana. Estoy intentando conseguir un servidor RADIUS para autenticarme en nuestro Active Directory basado en Samba, pero no consigo que funcione. Debido a nuestra infraestructura, el PAP no funcionará. Debido a que AD no ofrece una contraseña de texto claro conocida, CHAP no funcionará. Entonces esto deja a MSCHAP.
El servidor RADIUS está en su propia VM. Dicha VM está vinculada al dominio con Winbind. Tengo lo siguiente /etc/raddb/mods-available/mschap:
$ cat /etc/raddb/mods-available/mschap|grep -Ev '^\s*(#|$)'
mschap {
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
winbind_username = "%{mschap:User-Name}"
winbind_domain = "[domain]"
winbind_retry_with_normalised_username = yes
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
}
Cuando un cliente intenta autenticarse, el radiusd -Xresultado relevante es:
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Ready to process requests
(0) Received Access-Request Id 22 from 192.168.6.179:43922 to 192.168.6.192:1812 length 180
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15728668
(0) NAS-Port-Type = Virtual
(0) User-Name = "duncan"
(0) Calling-Station-Id = "192.168.6.100"
(0) Called-Station-Id = "192.168.6.179"
(0) MS-CHAP-Challenge = 0x7fd91ada13b38b1800f2f5c1b9a107e4
(0) MS-CHAP2-Response = 0x01000ff84b43a7f4d54b20da108b5f6a76480000000000000000b366008c649fc36a4a9bfb044f65dc8daf3aee10ad679141
(0) NAS-Identifier = "MikroTik"
(0) NAS-IP-Address = 192.168.6.179
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap: Creating challenge hash with username: duncan
(0) mschap: Client is using MS-CHAPv2
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap: --> --username=duncan
(0) mschap: Creating challenge hash with username: duncan
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap: --> --challenge=6c2a06548de859d5
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap: --> --nt-response=b366008c649fc36a4a9bfb044f65dc8daf3aee10ad679141
(0) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: Logon failure (0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0) [mschap] = reject
(0) } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> duncan
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 22 from 192.168.6.192:1812 to 192.168.6.179:43922 length 103
(0) MS-CHAP-Error = "\001E=691 R=1 C=06f7ce6fa5be464d72e8def2f9634910 V=3 M=Authentication rejected"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 22 with timestamp +8
Ready to process requests
Y la salida del nivel 5 del registro de samba:
[2018/03/19 11:13:13.166062, 3] ../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/GS-RADIUS
[2018/03/19 11:13:13.166160, 3] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user [AD]\[duncan]@[\\GS-RADIUS]
[2018/03/19 11:13:13.166171, 5] ../source4/auth/ntlm/auth_util.c:57(map_user_info_cracknames)
map_user_info_cracknames: Mapping user [AD]\[duncan] from workstation [\\GS-RADIUS]
auth_check_password_send: mapped user is: [AD]\[duncan]@[\\GS-RADIUS]
[2018/03/19 11:13:13.166994, 5] ../source4/auth/ntlm/auth.c:67(auth_get_challenge)
auth_get_challenge: returning previous challenge by module netr_LogonSamLogonWithFlags (normal)
[2018/03/19 11:13:13.167006, 5] ../lib/util/util.c:555(dump_data)
[0000] 2D F2 C3 E3 15 05 ED 58 -......X
[2018/03/19 11:13:13.167502, 2] ../libcli/auth/ntlm_check.c:424(ntlm_password_check)
ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user duncan
[2018/03/19 11:13:13.167518, 3] ../libcli/auth/ntlm_check.c:431(ntlm_password_check)
ntlm_password_check: NEITHER LanMan nor NT password supplied for user duncan
[2018/03/19 11:13:13.167630, 5] ../source4/dsdb/common/util.c:5252(dsdb_update_bad_pwd_count)
Not updating badPwdCount on CN=duncan,CN=Users,DC=ad,DC=goldblattsystems,DC=com after wrong password
[2018/03/19 11:13:13.167656, 2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
auth_check_password_recv: sam_ignoredomain authentication for user [AD\duncan] FAILED with error NT_STATUS_WRONG_PASSWORD
[2018/03/19 11:13:13.348906, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2018/03/19 11:13:13.348929, 3] ../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
¿Qué está causando esto? ¿Cómo puedo arreglarlo?
Respuesta1
No necesita habilitar la ntlm_authfila /etc/raddb/mods-available/mschapni configurarla ntlm auth = yesen su archivo smb.conf.Como MSCHAPv2 no parece ser compatible con NTLMv2, túhacernecesita configurar lo siguiente en su smb.conf:
ntlm auth = mschapv2-and-ntlmv2-only
Citarla página de manual de smb.conf:
"Solo permita NTLMv1 cuando el cliente prometa que está proporcionando autenticación MSCHAPv2 (como la
ntlm_authherramienta)".
Sin embargo, con Sambas modernos y versiones recientes de Freeradius no es necesario habilitarlo ntlm_authexplícitamente, porqueFreeradius 3.0.8 y versiones más recientes pueden comunicarse directamente con Winbind. ¡Solo recuerda darle permisos de lectura para la tubería de Winbind! P.ej. en Debian se podría ejecutar setfacl -m u:freerad:rx /var/lib/samba/winbindd_privileged/.
En general, todos los cambios en la configuración del módulo mschap que hice para recibir Access-Accept en radtest -t mschap testaccount mypass 127.0.0.1 0 testing123una caja Debian Buster que ejecuta Samba como AD DC y Freeradius se encuentran en la siguiente diferencia:
diff --git a/freeradius/3.0/mods-available/mschap b/freeradius/3.0/mods-available/mschap
index d7efcb1..e297ed4 100644
--- a/freeradius/3.0/mods-available/mschap
+++ b/freeradius/3.0/mods-available/mschap
@@ -21,12 +21,12 @@ mschap {
# if mppe is enabled require_encryption makes
# encryption moderate
#
-# require_encryption = yes
+ require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
-# require_strong = yes
+ require_strong = yes
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
@@ -81,8 +81,8 @@ mschap {
# or later to be installed. Make sure that ntlm_auth above is
# commented out.
#
-# winbind_username = "%{mschap:User-Name}"
-# winbind_domain = "%{mschap:NT-Domain}"
+ winbind_username = "%{mschap:User-Name}"
+ winbind_domain = "%{%{mschap:NT-Domain}:-MYDOMAIN}"
# When using single sign-on with a winbind connection and the
# client uses a different casing for the username than the
@@ -91,7 +91,7 @@ mschap {
# user in the correct casing in the backend, and retry
# authentication with that username.
#
-# winbind_retry_with_normalised_username = no
+ winbind_retry_with_normalised_username = yes
#
# Information for the winbind connection pool. The configuration
(Tenga en cuenta que winbind_retry_with_normalised_usernameprobablemente sea irrelevante en este contexto de prueba).
MYDOMAINes el nombre de dominio en la forma clásica NT4, no en la DOMAIN.TLDforma similar a Kerberos. Incluso si no está ejecutando Freeradius directamente en el DC, la configuración real del módulo mschap de Freeradius debería ser la misma, siempre y cuando el servidor se haya unido al dominio correctamente. Si el DC es Windows, entonces obviamente no hay smb.conf, pero la capacidad de usar NTLMv1 depende delnivel funcional del dominioysi el usuario pertenece a un grupo de usuarios protegido.
Tenga en cuenta que si se va a utilizar MSCHAPv2 para la autenticación Wi-Fi,sólo debe usarse dentro de túneles mutuamente autenticadospara protegerse contra puntos de acceso falsos. Para los tipos de EAP, consulteWikipediay para obtener un resumen de las restricciones del cliente, consulte la segunda respuesta en¿Por qué utilizarías EAP-TTLS en lugar de PEAP?
Respuesta2
La configuración ntlm auth = yesen la sección global de smb.conf lo "arregló". Me gustaría volver a prohibir ntlmv1, así que si alguien tiene una manera de hacer que esto funcione sin ntlmv1, publique su propia respuesta.