[Samba] question about ntlm

L.P.H. van Belle belle at bazuin.nl
Wed Feb 15 14:24:28 UTC 2017 

Hai, 

 

Since im still having problems reading the man smb.conf about the NTLM settings, im asking here.

How do i allow NTLM auth for my proxy. 

 

I have been playing around with : 

 

        client NTLMv2 auth

        raw NTLMv2 auth

        ntlm auth

        lanman auth

 

i’ve added the proxy user to the winbind_privileged group. 

and did set the needed rights. 

chgrp winbindd_priv /var/lib/samba/winbindd_privileged/

adduser proxy winbindd_priv

 

Im trying to keep as much as possible to the default settings. 

Im testing the following. 

 

ntlm_auth --request-nt-key --username=someTestUser

ntlm_auth --request-lm-key --username=someTestUser

ntlm_auth --username=someTestUser --ntlmv2

ntlm_auth --username=someTestUser –lanman

ntlm_auth --username=someTestUser --krb5auth=someTestUser

ntlm_auth --diagnostics --username=someTestUser

wbinfo -a someTestUser

wbinfo --krb5auth=someTestUser

wbinfo --krb5auth='NTDOM\someTestUser'

wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD’

 

 

Situation .

Samba AD DC. 4.5.3

Config : ( left out the shares, the question is about auth ) 

[global]

        workgroup = NTDOM

        realm = INTERNAL.DOMAIN.TLD

        netbios name = DC1

        server role = active directory domain controller

        server services = -dns

        interfaces = 192.168.0.1 127.0.0.1

        bind interfaces only = yes

        time server = yes

        idmap_ldb:use rfc2307 = yes

        winbind nss info = rfc2307

        winbind expand groups = 4

        template shell = /bin/bash

        template homedir = /home/users/%U

        tls enabled = yes

 

My client setup. 

Samba member 4.5.5  ( and testing 4.5.3 also ) 

[global]

    workgroup = NTDOM

    security = ads

    realm = INTERNAL.DOMAIN.TLD

    netbios name = PROXY2

    preferred master = no

    domain master = no

    host msdfs = no

    interfaces = 192.168.0.2 127.0.0.1

    bind interfaces only = yes

    dns proxy = yes

    tls enabled = yes

    idmap config *:backend = tdb

    idmap config *:range = 2000-9999

    idmap config NTDOM : backend = ad

    idmap config NTDOM : schema_mode = rfc2307

    idmap config NTDOM : range = 10000-3999999

    dedicated keytab file = /etc/krb5.keytab

    kerberos method = secrets and keytab

    winbind refresh tickets = yes

    winbind nss info = rfc2307

    winbind trusted domains only = no

    winbind offline logon = yes

    winbind expand groups = 4

 

 

Now im asking, where do we set what to make this work. 

 

When i set in my proxy smb.conf 

    lanman auth = yes

    raw NTLMv2 auth = yes

    ntlm auth = yes

im getting the same results as with above but =no 

 

and im testing: 

 

wbinfo -a "NTDOM\someTestUser"

Enter NTDOM\someTestUser's password:

plaintext password authentication succeeded

Enter NTDOM\someTestUser's password:

challenge/response password authentication failed

wbcAuthenticateUserEx(NTDOM\someTestUser): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)

error message was: Wrong Password

Could not authenticate user NTDOM\someTestUser with challenge/response

And same result for : wbinfo -a  someTestUser at ROTTERDAM.BAZUIN.NL

 

If a default setting is like :  client plaintext auth = no 

why do i get : plaintext password authentication succeeded

 

What is missing in my setup? Or do i have to setup a less secure AD DC to make this work? 

Im still having a hard time to figure out if a setting is ADDC or member only and man smb.conf isnt telling me what i need to know.

 

so i dont get it.  :-((  Help :-)) 

 

Any assistance here is very welkom.  ;-) 

 

 

Greetz, 

 

Louis

 

 

More information about the samba mailing list