[RADIATOR] radiator Digest, Vol 30, Issue 1

David Zych dmrz at illinois.edu
Wed Nov 2 08:19:22 CDT 2011 

Joy Veronneau wrote:
> Hi,
> I am stumped! I have implemented samba and MSCHAPv2 and everything works when running as user root. (Winbindd and radiator running as root.) But I need to run the radiator process as user "radiator". I also had to install samba in an alternate directory.
> 
> So ? when running radiator and winbindd as "root" everything works including ntlm_auth from command line and also MSCHAPv2 connections through radiator. When running radiator and winbindd as user "radiator" ntlm_auth from command line works but MCHAPv2 connection through radiator fails. The log file looks like this:
> 
...
> Mon Oct 31 10:50:03 2011: INFO: Starting NtlmAuthProg: /app/radius/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1
...
>  As user radiator, this works:
> 
> /app/radius/samba/bin/ntlm_auth --request-nt-key --domain=CORNELL --username=jv11 --password=xxxxxxxxxx

I had exactly the same problem when I first set up radiator.  The gotcha is that for some reason ntlm_auth actually requires more special permissions to run with --helper-protocol=ntlm-server-1 than it does to do a simple auth check from the command line.

The best way to troubleshoot this is to invoke ntlm_auth from the command line in the same way that Radiator actually invokes it to do MS-CHAPv2.

For example, run

ntlm_auth --helper-protocol=ntlm-server-1

And then paste as input:

Username: yourusernamehere
NT-Domain: YOURDOMAINHERE
LANMAN-Challenge: 0102030405060708
NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
.

(the dot on a line by itself followed by another newline tells the helper protocol that you're done entering attributes)

The desired output of this test, since the NT-Response value is completely bogus, is:

Authenticated: No
Authentication-Error: Wrong Password

What it said for me instead, the first time I tried it, was:

Authenticated: No
Authentication-Error: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.

which pointed me to the problem.  The solution that worked for me was to change the group ownership of this directory (which will of course be in a different location for you):

chgrp radiator /var/cache/samba/winbindd_privileged

Note that (at least as of v3.0.33), samba is apparently very picky about this directory's permissions; changing the group is okay, but it must be owned by root and chmod 750 (drwxr-x---) in order to work.

Finally, I've attached a perl script I wrote that performs this same test using a *working* input file stored on disk (generated by running it once with --create and giving it a real username and password); you'll probably want to change the hardcoded location of this file ($queryfile) to make sense for your system.  On my radius servers I have a cron task which runs this script with -q every few minutes and automatically restarts winbind if it ever fails.  :)

Hope this helps!

David

P.S.  Caveat: I'm running radiator as a regular user, but I'm running winbind as root (launched via sudo).  It sounds like you're trying to avoid even that, so the chgrp may not be enough to solve your problem, but if not then hopefully my troubleshooting approach will still get you closer to understanding what's wrong.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ntlmtest
Url: http://www.open.com.au/pipermail/radiator/attachments/20111102/59c066c6/attachment.pl

More information about the radiator mailing list