[Samba] Using ntlm_auth to authneticate to an NTLMv2 AD
Alex Sharaz
A.Sharaz at hull.ac.uk
Thu Mar 9 16:48:10 GMT 2006
Chaps,
I'm trying to get a radius server to authenticate to AD via the samba
ntlm_auth program.
I've just built samba vsn 3.0.21c with the following config parameters
./configure --with-pam --enable-socket-wrapper --with-ldapsam
--with-syslog --with-ldap --with-winbind
My smb.conf has
global]
workgroup = ADIR
security = domain
password server = 150.237.54.198
realm = ADIR.HULL.AC.UK
preferred master = no
server string = Hull Comms support server
security = ADS
use spnego = yes
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
bind interfaces only =yes
interfaces =150.237.47.22 127.0.0.1
idmap gid = 10000-20000
idmap uid = 10000-20000
client NTLMv2 auth=yes
running
/usr/local/bin/samba/ntlm_auth --userid=fred --pasword=something
--domain=ADIR.HULL.AC.UK
works just fine
(See log from radius server)
BUT when the radius server invokes nltm_auth I always get a wrong
psassword error.
Thu Mar 9 16:04:27 2006: INFO: Starting NtlmAuthProg:
/usr/local/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1
Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute
Request-User-Session-Key: Yes
Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute
Request-LanMan-Session-Key: Yes
Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute LANMAN-Challenge:
d5fa33d1b1953e0a
Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute NT-Response:
9f135b59e47cdfa0c51535d78b57587e3ebfcc6e6a64ae90
Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute NT-Domain::
QURJUi5IVUxMLkFDLlVL
Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute Username:: Y2NzYXM=
Thu Mar 9 16:04:27 2006: DEBUG: Received attribute: Authenticated: No
Thu Mar 9 16:04:27 2006: DEBUG: Received attribute:
Authentication-Error: Wrong Password
Thu Mar 9 16:04:27 2006: DEBUG: Received attribute: .
Thu Mar 9 16:04:27 2006: WARNING: NTLM Could not authenticate user:
Wrong Password
Thu Mar 9 16:04:27 2006: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM
Password check failed: ccsas [ccsas]
Thu Mar 9 16:04:27 2006: DEBUG: AuthBy NTLM result: REJECT, AuthBy NTLM
Password check failed
Thu Mar 9 16:04:27 2006: DEBUG: calling_station_hook:Access-Request
called
Thu Mar 9 16:04:27 2006: DEBUG: calling_station_hook:exited
Thu Mar 9 16:04:27 2006: INFO: Access rejected for ccsas: AuthBy NTLM
Password check failed
Thu Mar 9 16:04:27 2006: DEBUG: Converted EAP-MSCHAPV2 response Packet
dump:
If we turn down the AD auth to use ntlm then authentication works o.k.
Running the following script
#!/bin/sh
/usr/local/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1<<EOF
Request-User-Session-Key: yes
Request-LanMan-Session-Key: yes
LANMAN-Challenge: d5fa33d1b1953e0a
NT-Response: 9f135b59e47cdfa0c51535d78b57587e3ebfcc6e6a64ae90
NT-Domain:: QURJUi5IVUxMLkFDLlVL
Username:: Y2NzYXM=
.
Also fails and gives the same wrong password message
Looking in the /var/log/samba/winbindd log file I see
[2006/03/09 16:28:55, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(454)
[ 0]: request interface version
[2006/03/09 16:28:55, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(487)
[ 0]: request location of privileged pipe
[2006/03/09 16:28:55, 3]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(519)
[ 0]: pam auth crap domain: [ADIR.HULL.AC.UK] user: ccsas
More information about the samba
mailing list