[Samba] question about ntlm
L.P.H. van Belle
belle at bazuin.nl
Wed Feb 15 15:01:43 UTC 2017
A1) yes, i test as root.
A2) wbinfo --ntlmv2 -a "someTestUser"
wbinfo --ntlmv2 -a "NTDOM\someTestUser"
wbinfo --ntlmv2 -a "someTestUser at INTERNAL.DOMAIN.TLD"
These all work with default settings.
raw NTLMv2 auth = no
ntlm auth = no
lanman auth = no
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Vinicius Bones
> Silva via samba
> Verzonden: woensdag 15 februari 2017 15:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] question about ntlm
>
> 1) the user you are running wbinfo with, has access to the
> winbind_privileged folder?
> 2) does running "wbinfo --ntlmv2 -a 'DOMAIN\sometestuser' " changes the
> response you have?
>
> Em 15/02/2017 12:24, L.P.H. van Belle via samba escreveu:
> > Hai,
> >
> >
> >
> > Since im still having problems reading the man smb.conf about the NTLM
> settings, im asking here.
> >
> > How do i allow NTLM auth for my proxy.
> >
> >
> >
> > I have been playing around with :
> >
> >
> >
> > client NTLMv2 auth
> >
> > raw NTLMv2 auth
> >
> > ntlm auth
> >
> > lanman auth
> >
> >
> >
> > i?ve added the proxy user to the winbind_privileged group.
> >
> > and did set the needed rights.
> >
> > chgrp winbindd_priv /var/lib/samba/winbindd_privileged/
> >
> > adduser proxy winbindd_priv
> >
> >
> >
> > Im trying to keep as much as possible to the default settings.
> >
> > Im testing the following.
> >
> >
> >
> > ntlm_auth --request-nt-key --username=someTestUser
> >
> > ntlm_auth --request-lm-key --username=someTestUser
> >
> > ntlm_auth --username=someTestUser --ntlmv2
> >
> > ntlm_auth --username=someTestUser ?lanman
> >
> > ntlm_auth --username=someTestUser --krb5auth=someTestUser
> >
> > ntlm_auth --diagnostics --username=someTestUser
> >
> > wbinfo -a someTestUser
> >
> > wbinfo --krb5auth=someTestUser
> >
> > wbinfo --krb5auth='NTDOM\someTestUser'
> >
> > wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD?
> >
> >
> >
> >
> >
> > Situation .
> >
> > Samba AD DC. 4.5.3
> >
> > Config : ( left out the shares, the question is about auth )
> >
> > [global]
> >
> > workgroup = NTDOM
> >
> > realm = INTERNAL.DOMAIN.TLD
> >
> > netbios name = DC1
> >
> > server role = active directory domain controller
> >
> > server services = -dns
> >
> > interfaces = 192.168.0.1 127.0.0.1
> >
> > bind interfaces only = yes
> >
> > time server = yes
> >
> > idmap_ldb:use rfc2307 = yes
> >
> > winbind nss info = rfc2307
> >
> > winbind expand groups = 4
> >
> > template shell = /bin/bash
> >
> > template homedir = /home/users/%U
> >
> > tls enabled = yes
> >
> >
> >
> > My client setup.
> >
> > Samba member 4.5.5 ( and testing 4.5.3 also )
> >
> > [global]
> >
> > workgroup = NTDOM
> >
> > security = ads
> >
> > realm = INTERNAL.DOMAIN.TLD
> >
> > netbios name = PROXY2
> >
> > preferred master = no
> >
> > domain master = no
> >
> > host msdfs = no
> >
> > interfaces = 192.168.0.2 127.0.0.1
> >
> > bind interfaces only = yes
> >
> > dns proxy = yes
> >
> > tls enabled = yes
> >
> > idmap config *:backend = tdb
> >
> > idmap config *:range = 2000-9999
> >
> > idmap config NTDOM : backend = ad
> >
> > idmap config NTDOM : schema_mode = rfc2307
> >
> > idmap config NTDOM : range = 10000-3999999
> >
> > dedicated keytab file = /etc/krb5.keytab
> >
> > kerberos method = secrets and keytab
> >
> > winbind refresh tickets = yes
> >
> > winbind nss info = rfc2307
> >
> > winbind trusted domains only = no
> >
> > winbind offline logon = yes
> >
> > winbind expand groups = 4
> >
> >
> >
> >
> >
> > Now im asking, where do we set what to make this work.
> >
> >
> >
> > When i set in my proxy smb.conf
> >
> > lanman auth = yes
> >
> > raw NTLMv2 auth = yes
> >
> > ntlm auth = yes
> >
> > im getting the same results as with above but =no
> >
> >
> >
> > and im testing:
> >
> >
> >
> > wbinfo -a "NTDOM\someTestUser"
> >
> > Enter NTDOM\someTestUser's password:
> >
> > plaintext password authentication succeeded
> >
> > Enter NTDOM\someTestUser's password:
> >
> > challenge/response password authentication failed
> >
> > wbcAuthenticateUserEx(NTDOM\someTestUser): error code was
> NT_STATUS_WRONG_PASSWORD (0xc000006a)
> >
> > error message was: Wrong Password
> >
> > Could not authenticate user NTDOM\someTestUser with challenge/response
> >
> > And same result for : wbinfo -a someTestUser at ROTTERDAM.BAZUIN.NL
> >
> >
> >
> > If a default setting is like : client plaintext auth = no
> >
> > why do i get : plaintext password authentication succeeded
> >
> >
> >
> > What is missing in my setup? Or do i have to setup a less secure AD DC
> to make this work?
> >
> > Im still having a hard time to figure out if a setting is ADDC or member
> only and man smb.conf isnt telling me what i need to know.
> >
> >
> >
> > so i dont get it. :-(( Help :-))
> >
> >
> >
> > Any assistance here is very welkom. ;-)
> >
> >
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
> >
> >
>
> --
>
>
> Vinicius Silva
> SOC
>
>
> BRA: + 55 51 2117.1000 | 55 11 5521.2021
> USA: + 1 888 259.5801
> vbs at e-trust.com.br
> skype: vinicius.bones.silva
>
>
>
>
>
>
>
>
>
> Smiley face
>
> www.e-trust.com.br <http://www.e-trust.com.br/>
>
>
> Esta mensagem pode conter informações confidenciais ou privilegiadas. Se
> você recebeu esta
> mensagem por engano, você não deve usar, copiar, divulgar ou tomar
> qualquer atitude com
> base nestas informações. Solicitamos que você apague a mensagem
> imediatamente e avise a
> E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões,
> conclusões ou
> informações contidas nesta mensagem não necessariamente refletem a posição
> oficial da
> E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode
> ser confirmada
> pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-
> trust.com.br.
>
> This message may contain privileged and confidential information for the
> use of the
> intended recipients only. If you are not an intended recipient then you
> should not
> disseminate, copy, or take any action based on its contents. If you have
> received this
> message in error then please notify E-TRUST by sending an e-mail message
> to
> suporte at e-trust.com.br immediately. Views and opinions expressed in this
> message do not
> necessarily reflect the position of E-TRUST. If this message is digitally
> signed, its
> authenticity can be confirmed by E-TRUST Private Certificate Authority,
> available at
> www.e-trust.com.br.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list