[Samba] ODP: Re: freeradius + NTLM + samba AD 4.5.x

MORILLO Jordi j.morillo at educationetformation.fr
Wed Mar 28 06:53:29 UTC 2018

I also confirm that it's working fine with the setup below.
In my case, I also add --require-membership-of="My_Wifi_Group" to ntlm-auth command in /etc/freeradius/3.0/mods-enabled/mschap. I hope it will prevent some brute force on sensible accounts

For thus that are interested about MSChap + winbind authentication (not ntlm_auth):
On freeradius mailing list, I found this interesting post: http://lists.freeradius.org/pipermail/freeradius-users/2016-June/083958.html
It's talking about winbind group check starting with Freeradius v3.1.X

Have a nice day

-----Message d'origine-----
De : samba <samba-bounces at lists.samba.org> De la part de Kacper Wirski via samba
Envoyé : mardi 27 mars 2018 22:40
À : samba at lists.samba.org
Objet : Re: [Samba] ODP: Re: freeradius + NTLM + samba AD 4.5.x


I can definately confirm that it's working.

My basic setup is:

1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7

2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x

smb.conf on the DC is pretty basic, most important is obviously in

         ntlm auth = mschapv2-and-ntlmv2-only

On server with freeradius + samba 4.6.2:

machine is added to AD using samba with net ads join.

Most important configuration to make mschapv2 only with ntlmv1 overall disabled (except for mschapv2) is setting in freeradius in

mschap {


ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2* --request-nt-key --username=%{mschap:User-Name} --domain=WINDOWSDOMAIN --challenge=%{%{mschap:Challenge}:-00}

OR (if your Freeradius supports it)

winbind_username = "%{%{mschap:User-Name}:-00}"
winbind_domain = "WINDOWSDOMAIN"

The former works just fine, the latter requires freeradius to be built with winbind auth, for example for centos i had to rebuild rpm and add to ./configure path to winbind libraries.

That's all that's needed to change from the "standard", well documented freeradius/AD integration for the integration.

If there are going to be password changes with freeradius ("your password has expired" - type - scenarios) You should probably also configure in /mods-available/mschap additionaly:

passchange {
                 ntlm_auth = "/path/to/ntlm_auth
--helper-protocol=ntlm-change-password-1 *--allow-mschapv2*"
                 ntlm_auth_username = "username: %{mschap:User-Name}"
                 ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN"

I'm saying "should probably configure" because  with the settings as above it works just fine, so even it's unnecessary, it doesn't break anything, and unfortunately I was unable to test if it works (I doubt
it) without this option while denying ntlmv1 overall on ad dc.

If everything works as intented, in the AD DC audit log You will see something like this:
{"timestamp": "some-date0", "type": "Authentication", "Authentication": 
{"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK",
"localAddress": "ipv4:xxx.xxx.xxx.xxx", "remoteAddress": 
"ipv4:xxx.xxx.xxx.xxx:58046", "serviceDescription": "SamLogon",
"authDescription": "network", "clientDomain": "WINDOWSDOMAIN",
"clientAccount": "some-user", "workstation": "\\\\SOME-HOST",
"becameAccount": "some-user", "becameDomain": "WINDOWSDOMAIN",
"becameSid": "SOME-SID", "mappedAccount": "some-user", "mappedDomain": 
"WINDOWSDOMAIN", "netlogonComputer": "SOME-HOST",
"netlogonTrustAccount": "SOME-HOST$", "netlogonNegotiateFlags": 
"0x610FFFFF", "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": 
"somesid, *"passwordType": "MSCHAPv2"*}}

Without "--allow-mschapv2" You would see "passwordType":"NTLMv1".

Also I have no idea when ntlm_auth --allow-mschapv2 option was added?

W dniu 27.03.2018 o 10:06, Rowland Penny via samba pisze:
> On Tue, 27 Mar 2018 09:36:42 +0200
> "k.wirski via samba" <samba at lists.samba.org> wrote:
>> ok, tested it, and it works.
>> so to summarize:
>> on samba ad 4.7.x  in smb.conf "ntlm auth" is set to 
>> "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in 
>> mods-available/mschap you have to add to ntlm_auth --allow-mschapv2 
>> to the whole string OR just use winbind method, which sets correct 
>> flag without explicitly adding it.
> Not sure it will work with 4.6 as it doesn't have the required 
> 'mschapv2-and-ntlmv2-only' option for 'ntlm auth'
>> with those settings ntlmv1 is blocked except for mschapv2, and it's 
>> nicely visible in samba auth_audit log.
>> I also tried password change with ntlm_auth (for expired password at 
>> logon via FR) and it works fine too, with added --allow-mschapv2.
>> I completely missed ntlm_auth option --allow-mschapv2!
>> Thank You for pointing it out.
> If you can let us know just what you changed to get it working, I will 
> put something on the Samba wiki.
> Rowland

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list