[Samba] Samba and Freeradius...

Marco Gaiarin gaio at sv.lnf.it
Tue Oct 9 15:07:39 UTC 2018 

I'm trying to move my freeradius server from debian jessie (freeradius 2.2.5+dfsg-0.2+deb8u1
and samba 4.2.14+dfsg-0+deb8u9) in a NT like domain to a new stretch
server (freeradius 3.0.12+dfsg-5+deb9u1 and samba 4.8.5+mnu-1~deb9,
louis packages). Many things changed.

I've followed (also):
	https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory

and added in /etc/samba/smb.conf
	ntlm auth = mschapv2-and-ntlmv2-only

first note: the server that run freeradius is a domain member, not a DC.
'ntlm auth = mschapv2-and-ntlmv2-only' have to be added to DC(s)? To the
server that run freeradius (DC or DM)? It is not clear...


Anyway i've tried both with:
	winbind_username = "%{%{mschap:User-Name}:-00}"
	winbind_domain = "LNFFVG"

and i got 'password expired' (and it is not the case):
 rlm_mschap (mschap): Reserved connection (1)
 (19) mschap: sending authentication request user='gaio' domain='LNFFVG'
 rlm_mschap (mschap): Released connection (1)
 rlm_mschap (mschap): Need 4 more connections to reach 10 spares
 rlm_mschap (mschap): Opening additional connection (6), 1 of 26 pending slots used
 (19) mschap: ERROR: When trying to update a password, this return status indicates that the value provided as the current password is not correct. [0xC000006A]
 (19) mschap: ERROR: Password has expired.  User should retry authentication
 (19)     [mschap] = reject
 (19)   } # authenticate = reject
 (19) MSCHAP-Error: ?E=648 R=0 C=fa3be054eae16e879474da85edc05e2b V=3 M=Password expired
 (19) Found new challenge from MS-CHAP-Error: err=648 retry=0 challenge=fa3be054eae16e879474da85edc05e2b
 (19) ERROR: MSCHAP Failure

while if i try with:
	ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --domain=LNFFVG --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

i got auth error:
 (9) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
 (9) mschap: External script failed
 (9) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
 (9) mschap: ERROR: MS-CHAP2-Response is incorrect
 (9)     [mschap] = reject
 (9)   } # authenticate = reject
 (9) MSCHAP-Error: ?E=691 R=1 C=290c594e6aefd7535b4ef40dfee2b792 V=3 M=Authentication failed
 (9) Found new challenge from MS-CHAP-Error: err=691 retry=1 challenge=290c594e6aefd7535b4ef40dfee2b792
 (9) ERROR: MSCHAP Failure


Someone have some hints? Thanks.


PS: on the same server i've Squid, and authentication works perfectly
 with 'ntlm_auth'...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list