[Samba] ntlm_auth to AD with only ntlmv2 enabled failing

Mary Stevens stevens3 at uiuc.edu
Thu Apr 26 20:51:57 GMT 2007 

Hello,

We have samba 3.0.23 installed. We are using free radius to take
authentication requests from a nortel vpn server and using ntlm_auth
trying to authenticate users against AD.

This setup works fine when on the AD side ntlmv1 and ntlmv2 are enabled.
(IE. Users can authenticate).

However, when only ntlmv2 is enabled users are unable to authenticate.
I have searched various places and while I have seen a couple of other
questions about getting this to work, I haven't found any answers.


When I have the radius server in debug mode I see the following when just
ntlmv2 is enabled on the AD side:

  rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for stevens3 with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
 mschap2: f0
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat:  '/usr/bin/ntlm_auth -debug=10 --logfile=/tmp
--request-nt-key --domain=adtest --username=stevens3
--challenge=3316410b7682eede
--nt-response=b929ed540a9705a79165ae8bc8b11f3c039f3a8100d81c3e'
Exec-Program: /usr/bin/ntlm_auth -debug=10 --logfile=/tmp --request-nt-key
--domain=adtest --username=stevens3 --challenge=3316410b7682eede
--nt-response=b929ed540a9705a79165ae8bc8b11f3c039f3a8100d81c3e
[2007/04/26 13:23:50, 5] lib/debug.c:debug_dump_status(391)
  INFO: Current debug levels:
    all: True/10
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    passdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
    locking: False/0
    msdfs: False/0
    dmapi: False/0
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 0
modcall: leaving group MS-CHAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect: [stevens3] (from client nortelnew port 47)
Delaying request 0 for 1 seconds


In the smb.conf file I have
	client NTLMv2 auth = yes

In radiusd.conf file the ntlm_auth line looks like(all as one line in the
file, but the mail reader is breaking it up):
                ntlm_auth = "/usr/bin/ntlm_auth -debug=10 --logfile=/tmp
--request-nt-key --domain=adtest
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

I have also tried in the radiusd.conf file
	with_ntdomain_hack = no
and
	with_ntdomain_hack = yes
It didn't make any difference


With the radius server in debug mode, I see the following when both ntlmv1
and ntlmv2 are enabled on the AD side(ie. a successful auth):
modcall[authorize]: module "auth_log" returns ok for request 1
  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
  modcall[authorize]: module "mschap" returns ok for request 1
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 1
    users: Matched entry DEFAULT at line 29
  modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
  Found Autz-Type UIUCnet-Autz
  Processing the authorize section of radiusd.conf
modcall: entering group UIUCnet-Autz for request 1
  modcall[authorize]: module "mysql_block" returns notfound for request 1
  modcall[authorize]: module "ccso_ph" returns ok for request 1
modcall: leaving group UIUCnet-Autz (returns ok) for request 1
  rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 1
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for stevens3 with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'Chall
enge'
 mschap2: 9d
radius_xlat: Running registered xlat function of module mschap for string
'NT-Re
sponse'
radius_xlat:  '/usr/bin/ntlm_auth -debug=10 --logfile=/tmp
--request-nt-key --do
main=adtest --username=stevens3 --challenge=08cb598bb48bab8c
--nt-response=202fa
7d944da7715ef8bf23a0b1b3d08d91345e2e26344da'
Exec-Program: /usr/bin/ntlm_auth -debug=10 --logfile=/tmp --request-nt-key
--dom
ain=adtest --username=stevens3 --challenge=08cb598bb48bab8c
--nt-response=202fa7
d944da7715ef8bf23a0b1b3d08d91345e2e26344da
[2007/04/26 14:36:52, 5] lib/debug.c:debug_dump_status(391)
  INFO: Current debug levels:
    all: True/10
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    passdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
    locking: False/0
    msdfs: False/0
    dmapi: False/0
Exec-Program output: NT_KEY: 55766444E6C4E3016575DE3819ABDED0
Exec-Program-Wait: plaintext: NT_KEY: 55766444E6C4E3016575DE3819ABDED0
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
  modcall[authenticate]: module "mschap" returns ok for request 1
modcall: leaving group MS-CHAP (returns ok) for request 1
Login OK: [stevens3] (from client nortelnew port 63)
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 1
radius_xlat:
'/services/ct-radius/run/var/log/radius/radacct/192.17.144.2/reply
-detail-20070426'
rlm_detail:
/services/ct-radius/run/var/log/radius/radacct/%{Client-IP-Address}/
reply-detail-%Y%m%d expands to
/services/ct-radius/run/var/log/radius/radacct/19
2.17.144.2/reply-detail-20070426
  modcall[post-auth]: module "reply_log" returns ok for request 1
modcall: leaving group post-auth (returns ok) for request 1
Sending Access-Accept of id 39 to 192.17.144.2 port 3925
        MS-CHAP2-Success =
0x02533d443734324339383338444541434146303141354346334
13437363433363142464138313937314638
        MS-MPPE-Recv-Key = 0xdc756f09359a7d521ae376189c6c4449
        MS-MPPE-Send-Key = 0x237c89f4e9decfb9031e36f073218ba2
        MS-MPPE-Encryption-Policy = 0x00000002
        MS-MPPE-Encryption-Types = 0x00000004
Finished request 1



Any clues which might get this working would be appreciated.  From the
docs it seems like this should be working.

Thanks
mary stevens

More information about the samba mailing list