[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster

Christian Naumer cn at brain-biotech.de
Fri Aug 30 10:53:18 UTC 2019


We have this running but on a DC (Samba 4.10.7).

we have this line in /etc/raddb/mods-enabled/mschap. Only this line!
DOMAIN is the actual netbio name of the domain.


ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
--username=%{mschap:User-Name:-None} --domain=DOMAIN
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


Do you users login in with DOMAIN\user or just user? Ours do both.

Freeradius version on our side is 3.0.13.

Regards



Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba:
> Hai, 
>  
> It does not happen often but yes, i also need some help as i cant know everything also and im new with freeradius. 
> 
> Im working on a configuration for samba member + freeradius with ntlm_auth. 
> Why ntlm_auth, because the next one is kerberos and ldap auth to configure.. 
> I want to have some fallback options here and you have to start somewhere. 
> 
> This is running on my new proxy/gateway server, which also uses ntlm_auth and that works fine.
>  
> Now, basicly this looks simple and should be but im missing something.
> so what im i doing, im following http://deployingradius.com/ 
> Followed these steps, that works out fine. 
> Then we goto : http://deployingradius.com/documents/configuration/active_directory.html 
>  
> for smb.conf i use the config i always us, pretty basic + i added (ass noted on the site) : 
>  ntlm auth = mschapv2-and-ntlmv2-only
> 
> And offcourse i joined this server to the domain. 
> 
> Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP 
> And i just can not get this to work. 
> 
> What i notice.
> 
> (0) Found Auth-Type = mschap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authenticate {
> (0) mschap: Client is using MS-CHAPv1 with NT-Password
> (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
> (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (0) mschap:    --> --username=obell
> (0) mschap: mschap1: d4
> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (0) mschap:    --> --challenge=changedChallenge
> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (0) mschap:    --> --nt-response=ChangedResponce
> (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
> (0) mschap: External script failed
> (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> (0)     [mschap] = reject
> 
> What is not clear here to me is . 
> 
> I test :  radtest -t mschap myusername 'MyPass!' localhost 0 testing123-1
> 
> Responce: 
> (1) mschap: Client is using MS-CHAPv1 with NT-Password
> Then im thinking why chap-v1.
> 
> Im thinking im sending with : --allow-mschapv2  << mschap V2 
> 
> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \
>  --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \
>  --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \
>  --nt-response=%{%{mschap:NT-Response}:-00}" 
> 
> In the end all tests result in : 
> 
> (4)   MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2" 
> 
> Testing with : 
> ntlm_auth --allow-mschapv2 --username=myusername --challenge=0x....  --nt-response=0xx... 
> Returns : The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) 
> 
> So if someone has an idea whats going on/where to look? 
> Its most probely something simple what i not seeing.. 
> 
> I did add freerad user to winbindd_priv group also.
> I also tried this setup:
> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind 
> Which looks a better way to do, but same results. 
> 
> 
> Im very gratefull on could help me out here of has ideas on best way to debug this. 
> Or is someone has a samba 4.9+ working with freeradius and if you could share you config, i can better look whats off. 
> 
> Thanks! 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 

-- 
Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen



More information about the samba mailing list