[Samba] Using ntlm_auth to authneticate to an NTLMv2 AD

Alex Sharaz A.Sharaz at hull.ac.uk
Thu Mar 9 16:48:10 GMT 2006 

Chaps,

I'm trying to get a radius server to authenticate to AD via the samba
ntlm_auth program.

I've just built samba vsn 3.0.21c with the  following config parameters


./configure --with-pam --enable-socket-wrapper --with-ldapsam
--with-syslog --with-ldap --with-winbind

My smb.conf  has 

global]
   workgroup = ADIR
   security = domain
   password server = 150.237.54.198
   realm = ADIR.HULL.AC.UK
   preferred master = no
   server string = Hull Comms support server
   security = ADS
   use spnego = yes
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   winbind separator = +
   bind interfaces only =yes
   interfaces =150.237.47.22 127.0.0.1
   idmap gid = 10000-20000
   idmap uid = 10000-20000
   client NTLMv2 auth=yes

running 

/usr/local/bin/samba/ntlm_auth --userid=fred --pasword=something
--domain=ADIR.HULL.AC.UK

works just fine
(See log from radius server)

BUT when the radius server invokes nltm_auth  I always get a wrong
psassword error.
Thu Mar  9 16:04:27 2006: INFO: Starting NtlmAuthProg:
/usr/local/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1
Thu Mar  9 16:04:27 2006: DEBUG: Passing attribute
Request-User-Session-Key: Yes
Thu Mar  9 16:04:27 2006: DEBUG: Passing attribute
Request-LanMan-Session-Key: Yes
Thu Mar  9 16:04:27 2006: DEBUG: Passing attribute LANMAN-Challenge:
d5fa33d1b1953e0a
Thu Mar  9 16:04:27 2006: DEBUG: Passing attribute NT-Response:
9f135b59e47cdfa0c51535d78b57587e3ebfcc6e6a64ae90
Thu Mar  9 16:04:27 2006: DEBUG: Passing attribute NT-Domain::
QURJUi5IVUxMLkFDLlVL
Thu Mar  9 16:04:27 2006: DEBUG: Passing attribute Username:: Y2NzYXM=
Thu Mar  9 16:04:27 2006: DEBUG: Received attribute: Authenticated: No
Thu Mar  9 16:04:27 2006: DEBUG: Received attribute:
Authentication-Error: Wrong Password
Thu Mar  9 16:04:27 2006: DEBUG: Received attribute: .
Thu Mar  9 16:04:27 2006: WARNING: NTLM Could not authenticate user:
Wrong Password
Thu Mar  9 16:04:27 2006: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM
Password check failed: ccsas [ccsas]
Thu Mar  9 16:04:27 2006: DEBUG: AuthBy NTLM result: REJECT, AuthBy NTLM
Password check failed
Thu Mar  9 16:04:27 2006: DEBUG: calling_station_hook:Access-Request
called
Thu Mar  9 16:04:27 2006: DEBUG: calling_station_hook:exited
Thu Mar  9 16:04:27 2006: INFO: Access rejected for ccsas: AuthBy NTLM
Password check failed
Thu Mar  9 16:04:27 2006: DEBUG: Converted EAP-MSCHAPV2 response Packet
dump:



 If we turn down the AD auth to use ntlm then authentication works o.k.

Running the following script 

#!/bin/sh
/usr/local/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1<<EOF
Request-User-Session-Key: yes
Request-LanMan-Session-Key: yes
LANMAN-Challenge: d5fa33d1b1953e0a
NT-Response: 9f135b59e47cdfa0c51535d78b57587e3ebfcc6e6a64ae90
NT-Domain:: QURJUi5IVUxMLkFDLlVL
Username:: Y2NzYXM=
.

Also fails and gives the same wrong password message


Looking in the /var/log/samba/winbindd log file I see

[2006/03/09 16:28:55, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(454)
  [    0]: request interface version
[2006/03/09 16:28:55, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(487)
  [    0]: request location of privileged pipe
[2006/03/09 16:28:55, 3]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(519)
  [    0]: pam auth crap domain: [ADIR.HULL.AC.UK] user: ccsas

More information about the samba mailing list