遵循本指南,我正在尝试设置 FreeRADIUS 以针对 Active Directory 进行身份验证。Access-Accept当我以纯文本形式发送密码时(使用方法DEFAULT Auth-Type = ntlm_auth),我可以收到一条消息;但是,我想使用 mschapv2,这样密码就不会以纯文本形式发送。
当我做:
radtest -t mschap user pass 10.10.1.21 0 d34db33f
我得到:
Sending Access-Request Id 144 from 0.0.0.0:41971 to 10.10.1.21:1812
User-Name = 'user'
NAS-IP-Address = 10.10.7.178
NAS-Port = 0
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0xc118ac9d5a2fbfd0
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003f0b91a63532bc231468ae3034fa0788e64e28efa4832ecf
Received Access-Reject Id 144 from 10.10.1.21:1812 to 10.10.7.178:41971 length 38
MS-CHAP-Error = '\000E=691 R=1'
(0) Expected Access-Accept got Access-Reject
在服务器上,如果我这样做:
/usr/bin/ntlm_auth --request-nt-key --username=user --challenge=0xc118ac9d5a2fbfd0 --nt-response=0x00010000000000000000000000000000000000000000000000003f0b91a63532bc231468ae3034fa0788e64e28efa4832ecf
我得到:
Logon failure (0xc000006d)
我觉得我在转换为 mschap 时遇到了问题。我需要编辑什么才能正确进行身份验证?
答案1
事实证明,我遇到的问题与 freerad 用户无法访问 winbind 套接字有关。更多信息这里
引用:
Ubuntu (12.04) places the socket in /var/run/samba/winbindd_privileged
The socket itself is owned root:root permissions s777
The directory is owned root:winbindd_privileged permissions 750
Adding the user freerad to the group winbindd_privileged did the trick.