0

我正在尝试使用带有 MS_CHAP 身份验证协议的 Freeradius 3 创建身份验证。我设置了我的活动目录。有用:

$ ntlm_auth --request-nt-key --username=admin --password=Qwerty01 --domain=DOMAIN.LOCAL
NT_STATUS_OK: The operation completed successfully. (0x0)

但是,我无法使用 radtest 进行身份验证:

$ radtest -t mschap admin Qwerty01 localhost 0 testing123
Sent Access-Request Id 232 from 0.0.0.0:51847 to 127.0.0.1:1812 length 131
    User-Name = "admin"
    MS-CHAP-Password = "Qwerty01"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "Qwerty01"
    MS-CHAP-Challenge = 0x044d30abb8866f26
    MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000803c721e5b12ff86836a1873e1c0f62d18e2c054b83c940f
Received Access-Reject Id 232 from 127.0.0.1:1812 to 127.0.0.1:51847 length 61
    MS-CHAP-Error = "\000E=691 R=1 C=f25227a7f4150df5 V=2"
(0) -: Expected Access-Accept got Access-Reject

这是我的自由半径日志:

...
(1)   authenticate {
(1) mschap: Client is using MS-CHAPv1 with NT-Password
(1) mschap: Executing: /bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-DOMAIN.LOCAL} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(1) mschap: EXPAND --username=%{mschap:User-Name:-None}
(1) mschap:    --> --username=admin
(1) mschap: ERROR: No NT-Domain was found in the User-Name
(1) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-DOMAIN.LOCAL}
(1) mschap:    --> --domain=DOMAIN.LOCAL
(1) mschap: mschap1: 04
(1) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(1) mschap:    --> --challenge=044d30abb8866f26
(1) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(1) mschap:    --> --nt-response=803c721e5b12ff86836a1873e1c0f62d18e2c054b83c940f
(1) mschap: ERROR: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'
(1) mschap: ERROR: Reading winbind reply failed! (0xc0000001)
(1) mschap: Authentication failed
...
4

1 回答 1

1

如果您还没有这样做,您需要为您的 radius 用户授予对 /var/lib/samba/winbindd_privileged 文件夹的权限。例子:

setfacl -m u:radiusd:rx winbindd_privileged
于 2020-04-21T01:52:21.087 回答