[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster

Rowland penny rpenny at samba.org
Fri Aug 30 11:08:31 UTC 2019


On 30/08/2019 11:53, Christian Naumer via samba wrote:
> We have this running but on a DC (Samba 4.10.7).
>
> we have this line in /etc/raddb/mods-enabled/mschap. Only this line!
> DOMAIN is the actual netbio name of the domain.
>
>
> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
> --username=%{mschap:User-Name:-None} --domain=DOMAIN
> --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
>
> Do you users login in with DOMAIN\user or just user? Ours do both.
>
> Freeradius version on our side is 3.0.13.
>
> Regards
>
>
>
> Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba:
>> Hai,
>>   
>> It does not happen often but yes, i also need some help as i cant know everything also and im new with freeradius.
>>
>> Im working on a configuration for samba member + freeradius with ntlm_auth.
>> Why ntlm_auth, because the next one is kerberos and ldap auth to configure..
>> I want to have some fallback options here and you have to start somewhere.
>>
>> This is running on my new proxy/gateway server, which also uses ntlm_auth and that works fine.
>>   
>> Now, basicly this looks simple and should be but im missing something.
>> so what im i doing, im following http://deployingradius.com/
>> Followed these steps, that works out fine.
>> Then we goto : http://deployingradius.com/documents/configuration/active_directory.html
>>   
>> for smb.conf i use the config i always us, pretty basic + i added (ass noted on the site) :
>>   ntlm auth = mschapv2-and-ntlmv2-only
>>
>> And offcourse i joined this server to the domain.
>>
>> Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
>> And i just can not get this to work.
>>
>> What i notice.
>>
>> (0) Found Auth-Type = mschap
>> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>> (0)   authenticate {
>> (0) mschap: Client is using MS-CHAPv1 with NT-Password
>> (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
>> (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
>> (0) mschap:    --> --username=obell
>> (0) mschap: mschap1: d4
>> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
>> (0) mschap:    --> --challenge=changedChallenge
>> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
>> (0) mschap:    --> --nt-response=ChangedResponce
>> (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
>> (0) mschap: External script failed
>> (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
>> (0)     [mschap] = reject
>>
>> What is not clear here to me is .
>>
>> I test :  radtest -t mschap myusername 'MyPass!' localhost 0 testing123-1
>>
>> Responce:
>> (1) mschap: Client is using MS-CHAPv1 with NT-Password
>> Then im thinking why chap-v1.
>>
>> Im thinking im sending with : --allow-mschapv2  << mschap V2
>>
>> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \
>>   --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \
>>   --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \
>>   --nt-response=%{%{mschap:NT-Response}:-00}"
>>
>> In the end all tests result in :
>>
>> (4)   MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2"
>>
>> Testing with :
>> ntlm_auth --allow-mschapv2 --username=myusername --challenge=0x....  --nt-response=0xx...
>> Returns : The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
>>
>> So if someone has an idea whats going on/where to look?
>> Its most probely something simple what i not seeing..
>>
>> I did add freerad user to winbindd_priv group also.
>> I also tried this setup:
>> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
>> Which looks a better way to do, but same results.
>>
>>
>> Im very gratefull on could help me out here of has ideas on best way to debug this.
>> Or is someone has a samba 4.9+ working with freeradius and if you could share you config, i can better look whats off.
>>
>> Thanks!
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
Sheesh, it is a bit much when even Samba team members do not read the 
Samba wiki ;-)

https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory

Of course, this does raise the problem of what is freeradius going to do 
when SMBv1 entirely disappears ?

Rowland





More information about the samba mailing list