grep "^nameserver" /etc/resolv.conf.tmp | sudo tee -a /etc/resolv.conf
fi
-# Allow non TLS LDAP connections to Samba
-sudo sed -i 's/\[global\]/\[global\]\n\tldap server require strong auth = no/' /etc/samba/smb.conf
+# Allow non TLS LDAP connections to Samba and NTLM for MSCHAP auth
+sudo sed -i 's/\[global\]/\[global\]\n\tldap server require strong auth = no\n\tntlm auth = yes/' /etc/samba/smb.conf
# Create user for testing winbind auth
sudo /usr/bin/samba-tool user create aduser secret_123
--- /dev/null
+#
+# Test the "mschap" module
+#
+
+# Don't test mschap if MSCHAP_TEST_SERVER ENV is not set - this indicates winbind is available
+mschap_require_test_server := 1
--- /dev/null
+#
+# Input Packet
+#
+Packet-Type = Access-Request
+User-Name = "john"
+NAS-IP-Address = 127.0.0.1
+Vendor-Specific.Microsoft.CHAP-Response = 0x000100000000000000000000000000000000000000000000000016c32819add27b3d29f6866506e6cc6548f50b6429518579
+Vendor-Specific.Microsoft.CHAP-Challenge = 0x696bcaff8f8bef29
+
+#
+# Expected answer
+#
+Packet-Type == Access-Accept
+Vendor-Specific.Microsoft.MPPE-Encryption-Policy == Encryption-Allowed
+Vendor-Specific.Microsoft.MPPE-Encryption-Types == RC4-40or128-bit-Allowed
+
--- /dev/null
+&control.Password.Cleartext := "supersecret"
+
+mschap
+
+if !(&control.Auth-Type == mschap) {
+ test_fail
+}
+
+mschap.authenticate
+
+if !(&reply.Vendor-Specific.Microsoft.CHAP-MPPE-Keys) {
+ test_fail
+}
+
+&reply -= &Vendor-Specific.Microsoft.CHAP-MPPE-Keys
+
+test_pass
+
--- /dev/null
+#
+# Input Packet
+#
+Packet-Type = Access-Request
+User-Name = 'EXAMPLE\aduser'
+NAS-IP-Address = 127.0.0.1
+Vendor-Specific.Microsoft.CHAP-Response = 0x0001000000000000000000000000000000000000000000000000553aa92b9b20dba13953035b7ca0a8f6eb198ea6076f8b2a
+Vendor-Specific.Microsoft.CHAP-Challenge = 0xe2d04a33fec38c11
+
+#
+# Expected answer
+#
+Packet-Type == Access-Accept
+
--- /dev/null
+&control.Password.Cleartext := 'secret_123'
+
+mschap_winbind
+
+if !(&control.Auth-Type == mschap_winbind) {
+ test_fail
+}
+
+mschap_winbind.authenticate {
+ reject = 1
+}
+
+#
+# Depending on host permissions, we may not be able to talk to winbind
+# Handle false failures
+#
+if (&Module-Failure-Message[*] == 'mschap_winbind: Unable to contact winbind!') {
+ test_pass
+ return
+}
+
+if !(&reply.Vendor-Specific.Microsoft.CHAP-MPPE-Keys) {
+ test_fail
+}
+
+&reply := {}
+
+test_pass
--- /dev/null
+authenticate mschap {
+ mschap
+}
+
+authenticate mschap_winbind {
+ mschap
+}
--- /dev/null
+mschap {
+
+ attributes {
+ username = &User-Name
+ chap_challenge = &Vendor-Specific.Microsoft.CHAP-Challenge
+ chap_response = &Vendor-Specific.Microsoft.CHAP-Response
+ chap2_response = &Vendor-Specific.Microsoft.CHAP2-Response
+ chap2_success = &Vendor-Specific.Microsoft.CHAP2-Success
+ chap_error = &Vendor-Specific.Microsoft.CHAP-Error
+ chap_mppe_keys = &Vendor-Specific.Microsoft.CHAP-MPPE-Keys
+ mppe_recv_key = &Vendor-Specific.Microsoft.MPPE-Recv-Key
+ mppe_send_key = &Vendor-Specific.Microsoft.MPPE-Send-Key
+ mppe_encryption_policy = &Vendor-Specific.Microsoft.MPPE-Encryption-Policy
+ mppe_encryption_types = &Vendor-Specific.Microsoft.MPPE-Encryption-Types
+ chap2_cpw = &Vendor-Specific.Microsoft.CHAP2-CPW
+ }
+}
+
+mschap mschap_winbind {
+ winbind {
+ username = %mschap(User-Name)
+ domain = %mschap(Domain-Name)
+ }
+ attributes {
+ username = &User-Name
+ chap_challenge = &Vendor-Specific.Microsoft.CHAP-Challenge
+ chap_response = &Vendor-Specific.Microsoft.CHAP-Response
+ chap2_response = &Vendor-Specific.Microsoft.CHAP2-Response
+ chap2_success = &Vendor-Specific.Microsoft.CHAP2-Success
+ chap_error = &Vendor-Specific.Microsoft.CHAP-Error
+ chap_mppe_keys = &Vendor-Specific.Microsoft.CHAP-MPPE-Keys
+ mppe_recv_key = &Vendor-Specific.Microsoft.MPPE-Recv-Key
+ mppe_send_key = &Vendor-Specific.Microsoft.MPPE-Send-Key
+ mppe_encryption_policy = &Vendor-Specific.Microsoft.MPPE-Encryption-Policy
+ mppe_encryption_types = &Vendor-Specific.Microsoft.MPPE-Encryption-Types
+ chap2_cpw = &Vendor-Specific.Microsoft.CHAP2-CPW
+ }
+
+}
+
projects / thirdparty / freeradius-server.git / commitdiff
