Active-Directory
FreeRADIUS mschap
按照本指南,我正在嘗試設置 FreeRADIUS 以針對 Active Directory 進行身份驗證。
Access-Accept
當我以明文形式發送密碼時(使用DEFAULT Auth-Type = ntlm_auth
方法),我可以收到一條消息;但是,我想使用 mschapv2,因此密碼不會以明文形式發送。當我做:
radtest -t mschap user pass 10.10.1.21 0 d34db33f
我得到:
Sending Access-Request Id 144 from 0.0.0.0:41971 to 10.10.1.21:1812 User-Name = 'user' NAS-IP-Address = 10.10.7.178 NAS-Port = 0 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0xc118ac9d5a2fbfd0 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003f0b91a63532bc231468ae3034fa0788e64e28efa4832ecf Received Access-Reject Id 144 from 10.10.1.21:1812 to 10.10.7.178:41971 length 38 MS-CHAP-Error = '\000E=691 R=1' (0) Expected Access-Accept got Access-Reject
在伺服器上,如果我這樣做:
/usr/bin/ntlm_auth --request-nt-key --username=user --challenge=0xc118ac9d5a2fbfd0 --nt-response=0x00010000000000000000000000000000000000000000000000003f0b91a63532bc231468ae3034fa0788e64e28efa4832ecf
我得到:
Logon failure (0xc000006d)
在我看來,我在轉換為 mschap 時遇到了問題。我需要編輯什麼才能正確進行身份驗證?
原來我遇到的問題與 freerad 使用者無法訪問 winbind 套接字有關。更多資訊在這裡
引用:
Ubuntu (12.04) places the socket in /var/run/samba/winbindd_privileged The socket itself is owned root:root permissions s777 The directory is owned root:winbindd_privileged permissions 750 Adding the user freerad to the group winbindd_privileged did the trick.