[Samba] ODP: Re: freeradius + NTLM + samba AD 4.5.x

Kacper Wirski kacper.wirski at gmail.com
Wed Mar 28 09:08:00 UTC 2018

I see it's more about freeradius than samba at this point, so I'm not 
very comfortable writing on samba list about this topic (if it's 
inapropriate, someone please tell me), but to share my experience:

passchange was tested on windows 7/10 joined to the samba AD domain 
since that's in my case the obvious mschpav2 client. I had simply tried 
logging as users with "password has to be changed on the next logon". I 
tried it with wireless (eap-peap) and 802.1x for wired (eap-peap).

Enabling password change with mschpav2 for freeradius requires also 
setting in /mods-available/eap in mschapv2 section:

  mschapv2 {
                send_error = yes

I tested it strictly with windows computers, so I believe it's really 
dependent on what is trying to authenticate. For windows (7 and above 
tested) You have to also set via GPO or manually 802.1x authentication 
settings, one of them is to allow for extra windows during logon 
process. If it is setup, than You will get, as a user with expired 
password, prompt to change Your password (typical: old password - new 
password - retype new password). And it works in this setup (samba 4.7.6 
DC, freeradius with 4.6.2 samba as domain member, with setting on samba 
DC ntlm auth = mschpav2-and-ntlmv2-only).

Basically, from what i understand, there are certain errors that can 
happen during mschapv2 authorization, one of them is "password is 
correct but expired" and with proper settings it's possible to allow 
connecting client to change password. I never bothered looking up, what 
else, except for windows clients can benefit from the password change, 
so I can't help You more than this.

W dniu 28.03.2018 o 08:18, Dr. Peer-Joachim Koch via samba pisze:
> Hi,
> thank you very much for testing everything out. Great work!
> One question: passchange - which application are working with 
> passchange on radius ?
> In the moment every user with an expired password is NOT able to use 
> services using radius
> for authentication (WLAN,VPN). Is there any documentation available ?
> Bye, Peer
> On 27.03.2018 22:40, Kacper Wirski via samba wrote:
>> Hello,
>> I can definately confirm that it's working.
>> My basic setup is:
>> 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7
>> 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages 
>> straight from centos repo. // I  tested also on freeradius 3.0.14 and 
>> samba 4.7.x
>> smb.conf on the DC is pretty basic, most important is obviously in 
>> [globall]:
>>         ntlm auth = mschapv2-and-ntlmv2-only
>> On server with freeradius + samba 4.6.2:
>> machine is added to AD using samba with net ads join.
>> Most important configuration to make mschapv2 only with ntlmv1 
>> overall disabled (except for mschapv2) is setting in freeradius in 
>> /mods-available/mschap:
>> mschap {
>> .....
>> ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2* --request-nt-key 
>> --username=%{mschap:User-Name} --domain=WINDOWSDOMAIN 
>> --challenge=%{%{mschap:Challenge}:-00} 
>> --nt-response=%{%{mschap:NT-Response}:-00}"
>> OR (if your Freeradius supports it)
>> winbind_username = "%{%{mschap:User-Name}:-00}"
>> winbind_domain = "WINDOWSDOMAIN"
>> The former works just fine, the latter requires freeradius to be 
>> built with winbind auth, for example for centos i had to rebuild rpm 
>> and add to ./configure path to winbind libraries.
>> That's all that's needed to change from the "standard", well 
>> documented  freeradius/AD integration for the integration.
>> If there are going to be password changes with freeradius ("your 
>> password has expired" - type - scenarios) You should probably also 
>> configure in /mods-available/mschap additionaly:
>> passchange {
>>                 ntlm_auth = "/path/to/ntlm_auth 
>> --helper-protocol=ntlm-change-password-1 *--allow-mschapv2*"
>>                 ntlm_auth_username = "username: %{mschap:User-Name}"
>>                 ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN"
>> I'm saying "should probably configure" because  with the settings as 
>> above it works just fine, so even it's unnecessary, it doesn't break 
>> anything, and unfortunately I was unable to test if it works (I doubt 
>> it) without this option while denying ntlmv1 overall on ad dc.
>> If everything works as intented, in the AD DC audit log You will see 
>> something like this:
>> {"timestamp": "some-date0", "type": "Authentication", 
>> "Authentication": {"version": {"major": 1, "minor": 0}, "status": 
>> "NT_STATUS_OK", "localAddress": "ipv4:xxx.xxx.xxx.xxx", 
>> "remoteAddress": "ipv4:xxx.xxx.xxx.xxx:58046", "serviceDescription": 
>> "SamLogon", "authDescription": "network", "clientDomain": 
>> "WINDOWSDOMAIN", "clientAccount": "some-user", "workstation": 
>> "\\\\SOME-HOST", "becameAccount": "some-user", "becameDomain": 
>> "WINDOWSDOMAIN", "becameSid": "SOME-SID", "mappedAccount": 
>> "some-user", "mappedDomain": "WINDOWSDOMAIN", "netlogonComputer": 
>> "SOME-HOST", "netlogonTrustAccount": "SOME-HOST$", 
>> "netlogonNegotiateFlags": "0x610FFFFF", "netlogonSecureChannelType": 
>> 2, "netlogonTrustAccountSid": "somesid, *"passwordType": "MSCHAPv2"*}}
>> Without "--allow-mschapv2" You would see "passwordType":"NTLMv1".
>> Also I have no idea when ntlm_auth --allow-mschapv2 option was added?
>> W dniu 27.03.2018 o 10:06, Rowland Penny via samba pisze:
>>> On Tue, 27 Mar 2018 09:36:42 +0200
>>> "k.wirski via samba" <samba at lists.samba.org> wrote:
>>>> ok, tested it, and it works.
>>>> so to summarize:
>>>> on samba ad 4.7.x  in smb.conf "ntlm auth" is set to
>>>> "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in
>>>> mods-available/mschap you have to add to ntlm_auth --allow-mschapv2
>>>> to the whole string OR just use winbind method, which sets correct
>>>> flag without explicitly adding it.
>>> Not sure it will work with 4.6 as it doesn't have the required
>>> 'mschapv2-and-ntlmv2-only' option for 'ntlm auth'
>>>> with those settings ntlmv1 is blocked except for mschapv2, and it's
>>>> nicely visible in samba auth_audit log.
>>>> I also tried password change with ntlm_auth (for expired password at
>>>> logon via FR) and it works fine too, with added --allow-mschapv2.
>>>> I completely missed ntlm_auth option --allow-mschapv2!
>>>> Thank You for pointing it out.
>>> If you can let us know just what you changed to get it working, I will
>>> put something on the Samba wiki.
>>> Rowland

More information about the samba mailing list