MSCHAPv2 身份驗證不起作用
我已經為此奮鬥了大約一個星期。我正在嘗試讓 RADIUS 伺服器對我們基於 Samba 的 Active Directory 進行身份驗證,但我無法讓它工作。由於我們的基礎設施,PAP 將無法工作。因為 AD 不提供已知良好的明文密碼,所以 CHAP 將不起作用。所以這就離開了 MSCHAP。
RADIUS 伺服器位於其自己的 VM 上。所述VM通過Winbind連結到域。我有以下內容
/etc/raddb/mods-available/mschap
:$ cat /etc/raddb/mods-available/mschap|grep -Ev '^\s*(#|$)' mschap { ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" winbind_username = "%{mschap:User-Name}" winbind_domain = "[domain]" winbind_retry_with_normalised_username = yes pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 } }
當我有客戶端嘗試進行身份驗證時,相關
radiusd -X
輸出是:Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Ready to process requests (0) Received Access-Request Id 22 from 192.168.6.179:43922 to 192.168.6.192:1812 length 180 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) NAS-Port = 15728668 (0) NAS-Port-Type = Virtual (0) User-Name = "duncan" (0) Calling-Station-Id = "192.168.6.100" (0) Called-Station-Id = "192.168.6.179" (0) MS-CHAP-Challenge = 0x7fd91ada13b38b1800f2f5c1b9a107e4 (0) MS-CHAP2-Response = 0x01000ff84b43a7f4d54b20da108b5f6a76480000000000000000b366008c649fc36a4a9bfb044f65dc8daf3aee10ad679141 (0) NAS-Identifier = "MikroTik" (0) NAS-IP-Address = 192.168.6.179 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) mschap: Creating challenge hash with username: duncan (0) mschap: Client is using MS-CHAPv2 (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (0) mschap: --> --username=duncan (0) mschap: Creating challenge hash with username: duncan (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (0) mschap: --> --challenge=6c2a06548de859d5 (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (0) mschap: --> --nt-response=b366008c649fc36a4a9bfb044f65dc8daf3aee10ad679141 (0) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: Logon failure (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> duncan (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 22 from 192.168.6.192:1812 to 192.168.6.179:43922 length 103 (0) MS-CHAP-Error = "\001E=691 R=1 C=06f7ce6fa5be464d72e8def2f9634910 V=3 M=Authentication rejected" Waking up in 3.9 seconds. (0) Cleaning up request packet ID 22 with timestamp +8 Ready to process requests
以及 samba 日誌級別 5 輸出:
[2018/03/19 11:13:13.166062, 3] ../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb) schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/GS-RADIUS [2018/03/19 11:13:13.166160, 3] ../source4/auth/ntlm/auth.c:271(auth_check_password_send) auth_check_password_send: Checking password for unmapped user [AD]\[duncan]@[\\GS-RADIUS] [2018/03/19 11:13:13.166171, 5] ../source4/auth/ntlm/auth_util.c:57(map_user_info_cracknames) map_user_info_cracknames: Mapping user [AD]\[duncan] from workstation [\\GS-RADIUS] auth_check_password_send: mapped user is: [AD]\[duncan]@[\\GS-RADIUS] [2018/03/19 11:13:13.166994, 5] ../source4/auth/ntlm/auth.c:67(auth_get_challenge) auth_get_challenge: returning previous challenge by module netr_LogonSamLogonWithFlags (normal) [2018/03/19 11:13:13.167006, 5] ../lib/util/util.c:555(dump_data) [0000] 2D F2 C3 E3 15 05 ED 58 -......X [2018/03/19 11:13:13.167502, 2] ../libcli/auth/ntlm_check.c:424(ntlm_password_check) ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user duncan [2018/03/19 11:13:13.167518, 3] ../libcli/auth/ntlm_check.c:431(ntlm_password_check) ntlm_password_check: NEITHER LanMan nor NT password supplied for user duncan [2018/03/19 11:13:13.167630, 5] ../source4/dsdb/common/util.c:5252(dsdb_update_bad_pwd_count) Not updating badPwdCount on CN=duncan,CN=Users,DC=ad,DC=goldblattsystems,DC=com after wrong password [2018/03/19 11:13:13.167656, 2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv) auth_check_password_recv: sam_ignoredomain authentication for user [AD\duncan] FAILED with error NT_STATUS_WRONG_PASSWORD [2018/03/19 11:13:13.348906, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2018/03/19 11:13:13.348929, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
這是什麼原因造成的?我該如何解決?
ntlm auth = yes
在 smb.conf 的全域部分中設置“固定”它。我想回到禁止 ntlmv1 所以如果有人有辦法在沒有 ntlmv1 的情況下讓它工作,請發布你自己的答案。
您既不需要啟用
ntlm_auth
行,/etc/raddb/mods-available/mschap
也不需要ntlm auth = yes
在smb.conf
. 由於 MSCHAPv2 似乎不支持 NTLMv2,因此您需要在您的 中設置以下內容smb.conf
:ntlm auth = mschapv2-and-ntlmv2-only
“僅當客戶端承諾提供 MSCHAPv2 身份驗證(例如該
ntlm_auth
工具)時才允許 NTLMv1。”但是,對於現代 Sambas 和最新版本的 Freeradius,您不需要
ntlm_auth
顯式啟用,因為Freeradius 3.0.8 和更新的版本可以直接與 Winbind 對話。只要記住給它讀取 Winbind 管道的權限!例如。在 Debian 上可以執行setfacl -m u:freerad:rx /var/lib/samba/winbindd_privileged/
.
radtest -t mschap testaccount mypass 127.0.0.1 0 testing123
總而言之,我為從執行 Samba 作為 AD DC 和 Freeradius 的 Debian Buster 機器上接收 Access-Accept 所做的 mschap 模組配置的所有更改都在以下差異中:diff --git a/freeradius/3.0/mods-available/mschap b/freeradius/3.0/mods-available/mschap index d7efcb1..e297ed4 100644 --- a/freeradius/3.0/mods-available/mschap +++ b/freeradius/3.0/mods-available/mschap @@ -21,12 +21,12 @@ mschap { # if mppe is enabled require_encryption makes # encryption moderate # -# require_encryption = yes + require_encryption = yes # require_strong always requires 128 bit key # encryption # -# require_strong = yes + require_strong = yes # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration @@ -81,8 +81,8 @@ mschap { # or later to be installed. Make sure that ntlm_auth above is # commented out. # -# winbind_username = "%{mschap:User-Name}" -# winbind_domain = "%{mschap:NT-Domain}" + winbind_username = "%{mschap:User-Name}" + winbind_domain = "%{%{mschap:NT-Domain}:-MYDOMAIN}" # When using single sign-on with a winbind connection and the # client uses a different casing for the username than the @@ -91,7 +91,7 @@ mschap { # user in the correct casing in the backend, and retry # authentication with that username. # -# winbind_retry_with_normalised_username = no + winbind_retry_with_normalised_username = yes # # Information for the winbind connection pool. The configuration
(請注意,這
winbind_retry_with_normalised_username
可能與此測試環境無關。)
MYDOMAIN
是經典 NT4 形式的域名,而不是類似 Kerberos 的DOMAIN.TLD
形式。即使您沒有直接在 DC 上執行 Freeradius,只要伺服器正確加入域,Freeradius 的實際 mschap 模組配置應該仍然相同。如果 DC 是 Windows,那麼顯然沒有 smb.conf,但是能否使用 NTLMv1 取決於域功能級別以及使用者是否屬於受保護的使用者組。請注意,如果 MSCHAPv2 將用於 Wi-Fi 身份驗證,則應僅在相互身份驗證的隧道內使用它以防止偽造接入點。對於 EAP 類型,請參閱Wikipedia,有關客戶端限制的摘要,請參閱為什麼要使用 EAP-TTLS 而不是 PEAP?