[Samba] question about ntlm

L.P.H. van Belle belle at bazuin.nl
Wed Feb 15 15:01:43 UTC 2017 

A1) yes, i test as root. 

A2) 	wbinfo --ntlmv2 -a "someTestUser"
	wbinfo --ntlmv2 -a "NTDOM\someTestUser"
	wbinfo --ntlmv2 -a "someTestUser at INTERNAL.DOMAIN.TLD"

These all work with default settings. 
raw NTLMv2 auth = no 
ntlm auth = no
lanman auth = no


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Vinicius Bones
> Silva via samba
> Verzonden: woensdag 15 februari 2017 15:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] question about ntlm
> 
> 1) the user you are running wbinfo with, has access to the
> winbind_privileged folder?
> 2) does running "wbinfo --ntlmv2 -a 'DOMAIN\sometestuser' " changes the
> response you have?
> 
> Em 15/02/2017 12:24, L.P.H. van Belle via samba escreveu:
> > Hai,
> >
> >
> >
> > Since im still having problems reading the man smb.conf about the NTLM
> settings, im asking here.
> >
> > How do i allow NTLM auth for my proxy.
> >
> >
> >
> > I have been playing around with :
> >
> >
> >
> >          client NTLMv2 auth
> >
> >          raw NTLMv2 auth
> >
> >          ntlm auth
> >
> >          lanman auth
> >
> >
> >
> > i?ve added the proxy user to the winbind_privileged group.
> >
> > and did set the needed rights.
> >
> > chgrp winbindd_priv /var/lib/samba/winbindd_privileged/
> >
> > adduser proxy winbindd_priv
> >
> >
> >
> > Im trying to keep as much as possible to the default settings.
> >
> > Im testing the following.
> >
> >
> >
> > ntlm_auth --request-nt-key --username=someTestUser
> >
> > ntlm_auth --request-lm-key --username=someTestUser
> >
> > ntlm_auth --username=someTestUser --ntlmv2
> >
> > ntlm_auth --username=someTestUser ?lanman
> >
> > ntlm_auth --username=someTestUser --krb5auth=someTestUser
> >
> > ntlm_auth --diagnostics --username=someTestUser
> >
> > wbinfo -a someTestUser
> >
> > wbinfo --krb5auth=someTestUser
> >
> > wbinfo --krb5auth='NTDOM\someTestUser'
> >
> > wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD?
> >
> >
> >
> >
> >
> > Situation .
> >
> > Samba AD DC. 4.5.3
> >
> > Config : ( left out the shares, the question is about auth )
> >
> > [global]
> >
> >          workgroup = NTDOM
> >
> >          realm = INTERNAL.DOMAIN.TLD
> >
> >          netbios name = DC1
> >
> >          server role = active directory domain controller
> >
> >          server services = -dns
> >
> >          interfaces = 192.168.0.1 127.0.0.1
> >
> >          bind interfaces only = yes
> >
> >          time server = yes
> >
> >          idmap_ldb:use rfc2307 = yes
> >
> >          winbind nss info = rfc2307
> >
> >          winbind expand groups = 4
> >
> >          template shell = /bin/bash
> >
> >          template homedir = /home/users/%U
> >
> >          tls enabled = yes
> >
> >
> >
> > My client setup.
> >
> > Samba member 4.5.5  ( and testing 4.5.3 also )
> >
> > [global]
> >
> >      workgroup = NTDOM
> >
> >      security = ads
> >
> >      realm = INTERNAL.DOMAIN.TLD
> >
> >      netbios name = PROXY2
> >
> >      preferred master = no
> >
> >      domain master = no
> >
> >      host msdfs = no
> >
> >      interfaces = 192.168.0.2 127.0.0.1
> >
> >      bind interfaces only = yes
> >
> >      dns proxy = yes
> >
> >      tls enabled = yes
> >
> >      idmap config *:backend = tdb
> >
> >      idmap config *:range = 2000-9999
> >
> >      idmap config NTDOM : backend = ad
> >
> >      idmap config NTDOM : schema_mode = rfc2307
> >
> >      idmap config NTDOM : range = 10000-3999999
> >
> >      dedicated keytab file = /etc/krb5.keytab
> >
> >      kerberos method = secrets and keytab
> >
> >      winbind refresh tickets = yes
> >
> >      winbind nss info = rfc2307
> >
> >      winbind trusted domains only = no
> >
> >      winbind offline logon = yes
> >
> >      winbind expand groups = 4
> >
> >
> >
> >
> >
> > Now im asking, where do we set what to make this work.
> >
> >
> >
> > When i set in my proxy smb.conf
> >
> >      lanman auth = yes
> >
> >      raw NTLMv2 auth = yes
> >
> >      ntlm auth = yes
> >
> > im getting the same results as with above but =no
> >
> >
> >
> > and im testing:
> >
> >
> >
> > wbinfo -a "NTDOM\someTestUser"
> >
> > Enter NTDOM\someTestUser's password:
> >
> > plaintext password authentication succeeded
> >
> > Enter NTDOM\someTestUser's password:
> >
> > challenge/response password authentication failed
> >
> > wbcAuthenticateUserEx(NTDOM\someTestUser): error code was
> NT_STATUS_WRONG_PASSWORD (0xc000006a)
> >
> > error message was: Wrong Password
> >
> > Could not authenticate user NTDOM\someTestUser with challenge/response
> >
> > And same result for : wbinfo -a  someTestUser at ROTTERDAM.BAZUIN.NL
> >
> >
> >
> > If a default setting is like :  client plaintext auth = no
> >
> > why do i get : plaintext password authentication succeeded
> >
> >
> >
> > What is missing in my setup? Or do i have to setup a less secure AD DC
> to make this work?
> >
> > Im still having a hard time to figure out if a setting is ADDC or member
> only and man smb.conf isnt telling me what i need to know.
> >
> >
> >
> > so i dont get it.  :-((  Help :-))
> >
> >
> >
> > Any assistance here is very welkom.  ;-)
> >
> >
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
> >
> >
> 
> --
> 
> 
> Vinicius Silva
> SOC
> 
> 
> BRA: + 55 51 2117.1000 | 55 11 5521.2021
> USA: + 1 888 259.5801
> vbs at e-trust.com.br
> skype: vinicius.bones.silva
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 	Smiley face
> 
> www.e-trust.com.br <http://www.e-trust.com.br/>
> 
> 
> Esta mensagem pode conter informações confidenciais ou privilegiadas. Se
> você recebeu esta
> mensagem por engano, você não deve usar, copiar, divulgar ou tomar
> qualquer atitude com
> base nestas informações. Solicitamos que você apague a mensagem
> imediatamente e avise a
> E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões,
> conclusões ou
> informações contidas nesta mensagem não necessariamente refletem a posição
> oficial da
> E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode
> ser confirmada
> pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-
> trust.com.br.
> 
> This message may contain privileged and confidential information for the
> use of the
> intended recipients only. If you are not an intended recipient then you
> should not
> disseminate, copy, or take any action based on its contents. If you have
> received this
> message in error then please notify E-TRUST by sending an e-mail message
> to
> suporte at e-trust.com.br immediately. Views and opinions expressed in this
> message do not
> necessarily reflect the position of E-TRUST. If this message is digitally
> signed, its
> authenticity can be confirmed by E-TRUST Private Certificate Authority,
> available at
> www.e-trust.com.br.
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list