[Samba] ODP: Re: freeradius + NTLM + samba AD 4.5.x

Dr. Peer-Joachim Koch pkoch at bgc-jena.mpg.de
Wed Mar 28 06:18:35 UTC 2018 

Hi,

thank you very much for testing everything out. Great work!

One question: passchange - which application are working with passchange 
on radius ?
In the moment every user with an expired password is NOT able to use 
services using radius
for authentication (WLAN,VPN). Is there any documentation available ?

Bye, Peer

On 27.03.2018 22:40, Kacper Wirski via samba wrote:
> Hello,
>
> I can definately confirm that it's working.
>
> My basic setup is:
>
> 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7
>
> 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight 
> from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x
>
> smb.conf on the DC is pretty basic, most important is obviously in 
> [globall]:
>
>         ntlm auth = mschapv2-and-ntlmv2-only
>
> On server with freeradius + samba 4.6.2:
>
> machine is added to AD using samba with net ads join.
>
> Most important configuration to make mschapv2 only with ntlmv1 overall 
> disabled (except for mschapv2) is setting in freeradius in 
> /mods-available/mschap:
>
> mschap {
>
> .....
>
> ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2* --request-nt-key 
> --username=%{mschap:User-Name} --domain=WINDOWSDOMAIN 
> --challenge=%{%{mschap:Challenge}:-00} 
> --nt-response=%{%{mschap:NT-Response}:-00}"
>
> OR (if your Freeradius supports it)
>
> winbind_username = "%{%{mschap:User-Name}:-00}"
> winbind_domain = "WINDOWSDOMAIN"
>
> The former works just fine, the latter requires freeradius to be built 
> with winbind auth, for example for centos i had to rebuild rpm and add 
> to ./configure path to winbind libraries.
>
> That's all that's needed to change from the "standard", well 
> documented  freeradius/AD integration for the integration.
>
> If there are going to be password changes with freeradius ("your 
> password has expired" - type - scenarios) You should probably also 
> configure in /mods-available/mschap additionaly:
>
> passchange {
>                 ntlm_auth = "/path/to/ntlm_auth 
> --helper-protocol=ntlm-change-password-1 *--allow-mschapv2*"
>                 ntlm_auth_username = "username: %{mschap:User-Name}"
>                 ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN"
>
> I'm saying "should probably configure" because  with the settings as 
> above it works just fine, so even it's unnecessary, it doesn't break 
> anything, and unfortunately I was unable to test if it works (I doubt 
> it) without this option while denying ntlmv1 overall on ad dc.
>
> If everything works as intented, in the AD DC audit log You will see 
> something like this:
> {"timestamp": "some-date0", "type": "Authentication", 
> "Authentication": {"version": {"major": 1, "minor": 0}, "status": 
> "NT_STATUS_OK", "localAddress": "ipv4:xxx.xxx.xxx.xxx", 
> "remoteAddress": "ipv4:xxx.xxx.xxx.xxx:58046", "serviceDescription": 
> "SamLogon", "authDescription": "network", "clientDomain": 
> "WINDOWSDOMAIN", "clientAccount": "some-user", "workstation": 
> "\\\\SOME-HOST", "becameAccount": "some-user", "becameDomain": 
> "WINDOWSDOMAIN", "becameSid": "SOME-SID", "mappedAccount": 
> "some-user", "mappedDomain": "WINDOWSDOMAIN", "netlogonComputer": 
> "SOME-HOST", "netlogonTrustAccount": "SOME-HOST$", 
> "netlogonNegotiateFlags": "0x610FFFFF", "netlogonSecureChannelType": 
> 2, "netlogonTrustAccountSid": "somesid, *"passwordType": "MSCHAPv2"*}}
>
> Without "--allow-mschapv2" You would see "passwordType":"NTLMv1".
>
> Also I have no idea when ntlm_auth --allow-mschapv2 option was added?
>
> W dniu 27.03.2018 o 10:06, Rowland Penny via samba pisze:
>> On Tue, 27 Mar 2018 09:36:42 +0200
>> "k.wirski via samba" <samba at lists.samba.org> wrote:
>>
>>> ok, tested it, and it works.
>>>
>>> so to summarize:
>>> on samba ad 4.7.x  in smb.conf "ntlm auth" is set to
>>> "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in
>>> mods-available/mschap you have to add to ntlm_auth --allow-mschapv2
>>> to the whole string OR just use winbind method, which sets correct
>>> flag without explicitly adding it.
>> Not sure it will work with 4.6 as it doesn't have the required
>> 'mschapv2-and-ntlmv2-only' option for 'ntlm auth'
>>
>>> with those settings ntlmv1 is blocked except for mschapv2, and it's
>>> nicely visible in samba auth_audit log.
>>>
>>> I also tried password change with ntlm_auth (for expired password at
>>> logon via FR) and it works fine too, with added --allow-mschapv2.
>>>
>>> I completely missed ntlm_auth option --allow-mschapv2!
>>> Thank You for pointing it out.
>>>
>> If you can let us know just what you changed to get it working, I will
>> put something on the Samba wiki.
>>
>> Rowland
>>
>

-- 
Mit freundlichen Grüßen,
     Peer-Joachim Koch
________________________________________________________

Max-Planck-Institut für Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
D-07745 Jena                 Telefax: ++49 3641 57-7705

More information about the samba mailing list