[Samba] ODP: Re: freeradius + NTLM + samba AD 4.5.x

Tue Mar 27 20:55:43 UTC 2018

On Tue, 2018-03-27 at 22:40 +0200, Kacper Wirski via samba wrote:
> Hello,
> 
> I can definately confirm that it's working.
> 
> My basic setup is:
> 
> 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7
> 
> 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight 
> from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x
> 
> smb.conf on the DC is pretty basic, most important is obviously in 
> [globall]:
> 
>          ntlm auth = mschapv2-and-ntlmv2-only
> 
> On server with freeradius + samba 4.6.2:
> 
> machine is added to AD using samba with net ads join.
> 
> Most important configuration to make mschapv2 only with ntlmv1 overall 
> disabled (except for mschapv2) is setting in freeradius in 
> /mods-available/mschap:
> 
> mschap {
> 
> .....
> 
> ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2* --request-nt-key 
> --username=%{mschap:User-Name} --domain=WINDOWSDOMAIN 
> --challenge=%{%{mschap:Challenge}:-00} 
> --nt-response=%{%{mschap:NT-Response}:-00}"
> 
> OR (if your Freeradius supports it)
> 
> winbind_username = "%{%{mschap:User-Name}:-00}"
> winbind_domain = "WINDOWSDOMAIN"
> 
> The former works just fine, the latter requires freeradius to be built 
> with winbind auth, for example for centos i had to rebuild rpm and add 
> to ./configure path to winbind libraries.
> 
> That's all that's needed to change from the "standard", well documented  
> freeradius/AD integration for the integration.
> 
> If there are going to be password changes with freeradius ("your 
> password has expired" - type - scenarios) You should probably also 
> configure in /mods-available/mschap additionaly:
> 
> passchange {
>                  ntlm_auth = "/path/to/ntlm_auth 
> --helper-protocol=ntlm-change-password-1 *--allow-mschapv2*"
>                  ntlm_auth_username = "username: %{mschap:User-Name}"
>                  ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN"

This will be still be allowed, even with NTLMv1 disabled, I consider it
as strong as NTLMv2 for these purposes.  If you turn of NTLM entirely
(Samba 4.7) you will disable it.

> I'm saying "should probably configure" because  with the settings as 
> above it works just fine, so even it's unnecessary, it doesn't break 
> anything, and unfortunately I was unable to test if it works (I doubt 
> it) without this option while denying ntlmv1 overall on ad dc.
> 
> If everything works as intented, in the AD DC audit log You will see 
> something like this:
> {"timestamp": "some-date0", "type": "Authentication", "Authentication": 
> {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", 
> "localAddress": "ipv4:xxx.xxx.xxx.xxx", "remoteAddress": 
> "ipv4:xxx.xxx.xxx.xxx:58046", "serviceDescription": "SamLogon", 
> "authDescription": "network", "clientDomain": "WINDOWSDOMAIN", 
> "clientAccount": "some-user", "workstation": "\\\\SOME-HOST", 
> "becameAccount": "some-user", "becameDomain": "WINDOWSDOMAIN", 
> "becameSid": "SOME-SID", "mappedAccount": "some-user", "mappedDomain": 
> "WINDOWSDOMAIN", "netlogonComputer": "SOME-HOST", 
> "netlogonTrustAccount": "SOME-HOST$", "netlogonNegotiateFlags": 
> "0x610FFFFF", "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": 
> "somesid, *"passwordType": "MSCHAPv2"*}}
> 
> Without "--allow-mschapv2" You would see "passwordType":"NTLMv1".
> 
> Also I have no idea when ntlm_auth --allow-mschapv2 option was added?

It was added in Samba 4.5.0rc1 with
0b500d413c5b76188c0c566318be7079b777237c

I hope this helps!

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba