[Samba] question about ntlm

Vinicius Bones Silva vbs at e-trust.com.br
Wed Feb 15 14:48:02 UTC 2017


1) the user you are running wbinfo with, has access to the winbind_privileged folder?
2) does running "wbinfo --ntlmv2 -a 'DOMAIN\sometestuser' " changes the response you have?

Em 15/02/2017 12:24, L.P.H. van Belle via samba escreveu:
> Hai,
>
>   
>
> Since im still having problems reading the man smb.conf about the NTLM settings, im asking here.
>
> How do i allow NTLM auth for my proxy.
>
>   
>
> I have been playing around with :
>
>   
>
>          client NTLMv2 auth
>
>          raw NTLMv2 auth
>
>          ntlm auth
>
>          lanman auth
>
>   
>
> i’ve added the proxy user to the winbind_privileged group.
>
> and did set the needed rights.
>
> chgrp winbindd_priv /var/lib/samba/winbindd_privileged/
>
> adduser proxy winbindd_priv
>
>   
>
> Im trying to keep as much as possible to the default settings.
>
> Im testing the following.
>
>   
>
> ntlm_auth --request-nt-key --username=someTestUser
>
> ntlm_auth --request-lm-key --username=someTestUser
>
> ntlm_auth --username=someTestUser --ntlmv2
>
> ntlm_auth --username=someTestUser –lanman
>
> ntlm_auth --username=someTestUser --krb5auth=someTestUser
>
> ntlm_auth --diagnostics --username=someTestUser
>
> wbinfo -a someTestUser
>
> wbinfo --krb5auth=someTestUser
>
> wbinfo --krb5auth='NTDOM\someTestUser'
>
> wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD’
>
>   
>
>   
>
> Situation .
>
> Samba AD DC. 4.5.3
>
> Config : ( left out the shares, the question is about auth )
>
> [global]
>
>          workgroup = NTDOM
>
>          realm = INTERNAL.DOMAIN.TLD
>
>          netbios name = DC1
>
>          server role = active directory domain controller
>
>          server services = -dns
>
>          interfaces = 192.168.0.1 127.0.0.1
>
>          bind interfaces only = yes
>
>          time server = yes
>
>          idmap_ldb:use rfc2307 = yes
>
>          winbind nss info = rfc2307
>
>          winbind expand groups = 4
>
>          template shell = /bin/bash
>
>          template homedir = /home/users/%U
>
>          tls enabled = yes
>
>   
>
> My client setup.
>
> Samba member 4.5.5  ( and testing 4.5.3 also )
>
> [global]
>
>      workgroup = NTDOM
>
>      security = ads
>
>      realm = INTERNAL.DOMAIN.TLD
>
>      netbios name = PROXY2
>
>      preferred master = no
>
>      domain master = no
>
>      host msdfs = no
>
>      interfaces = 192.168.0.2 127.0.0.1
>
>      bind interfaces only = yes
>
>      dns proxy = yes
>
>      tls enabled = yes
>
>      idmap config *:backend = tdb
>
>      idmap config *:range = 2000-9999
>
>      idmap config NTDOM : backend = ad
>
>      idmap config NTDOM : schema_mode = rfc2307
>
>      idmap config NTDOM : range = 10000-3999999
>
>      dedicated keytab file = /etc/krb5.keytab
>
>      kerberos method = secrets and keytab
>
>      winbind refresh tickets = yes
>
>      winbind nss info = rfc2307
>
>      winbind trusted domains only = no
>
>      winbind offline logon = yes
>
>      winbind expand groups = 4
>
>   
>
>   
>
> Now im asking, where do we set what to make this work.
>
>   
>
> When i set in my proxy smb.conf
>
>      lanman auth = yes
>
>      raw NTLMv2 auth = yes
>
>      ntlm auth = yes
>
> im getting the same results as with above but =no
>
>   
>
> and im testing:
>
>   
>
> wbinfo -a "NTDOM\someTestUser"
>
> Enter NTDOM\someTestUser's password:
>
> plaintext password authentication succeeded
>
> Enter NTDOM\someTestUser's password:
>
> challenge/response password authentication failed
>
> wbcAuthenticateUserEx(NTDOM\someTestUser): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
>
> error message was: Wrong Password
>
> Could not authenticate user NTDOM\someTestUser with challenge/response
>
> And same result for : wbinfo -a  someTestUser at ROTTERDAM.BAZUIN.NL
>
>   
>
> If a default setting is like :  client plaintext auth = no
>
> why do i get : plaintext password authentication succeeded
>
>   
>
> What is missing in my setup? Or do i have to setup a less secure AD DC to make this work?
>
> Im still having a hard time to figure out if a setting is ADDC or member only and man smb.conf isnt telling me what i need to know.
>
>   
>
> so i dont get it.  :-((  Help :-))
>
>   
>
> Any assistance here is very welkom.  ;-)
>
>   
>
>   
>
> Greetz,
>
>   
>
> Louis
>
>   
>
>   
>

-- 

	
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta 
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com 
base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a 
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões ou 
informações contidas nesta mensagem não necessariamente refletem a posição oficial da 
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada 
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the 
intended recipients only. If you are not an intended recipient then you should not 
disseminate, copy, or take any action based on its contents. If you have received this 
message in error then please notify E-TRUST by sending an e-mail message to 
suporte at e-trust.com.br immediately. Views and opinions expressed in this message do not 
necessarily reflect the position of E-TRUST. If this message is digitally signed, its 
authenticity can be confirmed by E-TRUST Private Certificate Authority, available at 
www.e-trust.com.br.



More information about the samba mailing list