[Samba] question about ntlm
L.P.H. van Belle
belle at bazuin.nl
Wed Feb 15 14:24:28 UTC 2017
Hai,
Since im still having problems reading the man smb.conf about the NTLM settings, im asking here.
How do i allow NTLM auth for my proxy.
I have been playing around with :
client NTLMv2 auth
raw NTLMv2 auth
ntlm auth
lanman auth
i’ve added the proxy user to the winbind_privileged group.
and did set the needed rights.
chgrp winbindd_priv /var/lib/samba/winbindd_privileged/
adduser proxy winbindd_priv
Im trying to keep as much as possible to the default settings.
Im testing the following.
ntlm_auth --request-nt-key --username=someTestUser
ntlm_auth --request-lm-key --username=someTestUser
ntlm_auth --username=someTestUser --ntlmv2
ntlm_auth --username=someTestUser –lanman
ntlm_auth --username=someTestUser --krb5auth=someTestUser
ntlm_auth --diagnostics --username=someTestUser
wbinfo -a someTestUser
wbinfo --krb5auth=someTestUser
wbinfo --krb5auth='NTDOM\someTestUser'
wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD’
Situation .
Samba AD DC. 4.5.3
Config : ( left out the shares, the question is about auth )
[global]
workgroup = NTDOM
realm = INTERNAL.DOMAIN.TLD
netbios name = DC1
server role = active directory domain controller
server services = -dns
interfaces = 192.168.0.1 127.0.0.1
bind interfaces only = yes
time server = yes
idmap_ldb:use rfc2307 = yes
winbind nss info = rfc2307
winbind expand groups = 4
template shell = /bin/bash
template homedir = /home/users/%U
tls enabled = yes
My client setup.
Samba member 4.5.5 ( and testing 4.5.3 also )
[global]
workgroup = NTDOM
security = ads
realm = INTERNAL.DOMAIN.TLD
netbios name = PROXY2
preferred master = no
domain master = no
host msdfs = no
interfaces = 192.168.0.2 127.0.0.1
bind interfaces only = yes
dns proxy = yes
tls enabled = yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config NTDOM : backend = ad
idmap config NTDOM : schema_mode = rfc2307
idmap config NTDOM : range = 10000-3999999
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind nss info = rfc2307
winbind trusted domains only = no
winbind offline logon = yes
winbind expand groups = 4
Now im asking, where do we set what to make this work.
When i set in my proxy smb.conf
lanman auth = yes
raw NTLMv2 auth = yes
ntlm auth = yes
im getting the same results as with above but =no
and im testing:
wbinfo -a "NTDOM\someTestUser"
Enter NTDOM\someTestUser's password:
plaintext password authentication succeeded
Enter NTDOM\someTestUser's password:
challenge/response password authentication failed
wbcAuthenticateUserEx(NTDOM\someTestUser): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error message was: Wrong Password
Could not authenticate user NTDOM\someTestUser with challenge/response
And same result for : wbinfo -a someTestUser at ROTTERDAM.BAZUIN.NL
If a default setting is like : client plaintext auth = no
why do i get : plaintext password authentication succeeded
What is missing in my setup? Or do i have to setup a less secure AD DC to make this work?
Im still having a hard time to figure out if a setting is ADDC or member only and man smb.conf isnt telling me what i need to know.
so i dont get it. :-(( Help :-))
Any assistance here is very welkom. ;-)
Greetz,
Louis
More information about the samba
mailing list