[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
L.P.H. van Belle
belle at bazuin.nl
Fri Aug 30 11:09:47 UTC 2019
Guys,
Christian, Marco, Thank you very much.
Marco, you have the best internal wiki :-)
Very very usefull.
Whooe.. Most is working atm. And as always the solution was so simpel..
I forgot... To .. Add...
ntlm auth = mschapv2-and-ntlmv2-only
To the DC's smb.conf. :-/ pretty stupid.. But.
So far, it looks good. I've tested now.
radtest -t mschap username 'passwd' localhost 0 testing
radtest -t mschap username at REALM 'passwd' localhost 0 testing
These 2 work, thanks for that guys.
Now Christian, this failes for me.
radtest -t mschap 'NTDOM\username" 'passwd' localhost 0 testing
( MS-CHAP-Error = "\000E=691 R=1 C=58f41f1a946ac94a V=2")
So my question here is, are the username at REALM logins also working for you.
And are you using in smb.conf : winbind use default domain = yes
But guys, sofar, im going very happy towards the weekend..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Christian Naumer via samba
> Verzonden: vrijdag 30 augustus 2019 12:53
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.10.7 + freeradius 3.0.17
> +ntlm_auth - Debian buster
>
> We have this running but on a DC (Samba 4.10.7).
>
> we have this line in /etc/raddb/mods-enabled/mschap. Only this line!
> DOMAIN is the actual netbio name of the domain.
>
>
> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
> --username=%{mschap:User-Name:-None} --domain=DOMAIN
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
>
> Do you users login in with DOMAIN\user or just user? Ours do both.
>
> Freeradius version on our side is 3.0.13.
>
> Regards
>
>
>
> Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba:
> > Hai,
> >
> > It does not happen often but yes, i also need some help as
> i cant know everything also and im new with freeradius.
> >
> > Im working on a configuration for samba member + freeradius
> with ntlm_auth.
> > Why ntlm_auth, because the next one is kerberos and ldap
> auth to configure..
> > I want to have some fallback options here and you have to
> start somewhere.
> >
> > This is running on my new proxy/gateway server, which also
> uses ntlm_auth and that works fine.
> >
> > Now, basicly this looks simple and should be but im missing
> something.
> > so what im i doing, im following http://deployingradius.com/
> > Followed these steps, that works out fine.
> > Then we goto :
> http://deployingradius.com/documents/configuration/active_dire
> ctory.html
> >
> > for smb.conf i use the config i always us, pretty basic + i
> added (ass noted on the site) :
> > ntlm auth = mschapv2-and-ntlmv2-only
> >
> > And offcourse i joined this server to the domain.
> >
> > Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
> > And i just can not get this to work.
> >
> > What i notice.
> >
> > (0) Found Auth-Type = mschap
> > (0) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/default
> > (0) authenticate {
> > (0) mschap: Client is using MS-CHAPv1 with NT-Password
> > (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2
> --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> > (0) mschap: EXPAND
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > (0) mschap: --> --username=obell
> > (0) mschap: mschap1: d4
> > (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> > (0) mschap: --> --challenge=changedChallenge
> > (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> > (0) mschap: --> --nt-response=ChangedResponce
> > (0) mschap: ERROR: Program returned code (1) and output
> 'The attempted logon is invalid. This is either due to a bad
> username or authentication information. (0xc000006d)'
> > (0) mschap: External script failed
> > (0) mschap: ERROR: External script says: The attempted
> logon is invalid. This is either due to a bad username or
> authentication information. (0xc000006d)
> > (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> > (0) [mschap] = reject
> >
> > What is not clear here to me is .
> >
> > I test : radtest -t mschap myusername 'MyPass!' localhost
> 0 testing123-1
> >
> > Responce:
> > (1) mschap: Client is using MS-CHAPv1 with NT-Password
> > Then im thinking why chap-v1.
> >
> > Im thinking im sending with : --allow-mschapv2 << mschap V2
> >
> > ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \
> > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \
> > --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \
> > --nt-response=%{%{mschap:NT-Response}:-00}"
> >
> > In the end all tests result in :
> >
> > (4) MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2"
> >
> > Testing with :
> > ntlm_auth --allow-mschapv2 --username=myusername
> --challenge=0x.... --nt-response=0xx...
> > Returns : The attempted logon is invalid. This is either
> due to a bad username or authentication information. (0xc000006d)
> >
> > So if someone has an idea whats going on/where to look?
> > Its most probely something simple what i not seeing..
> >
> > I did add freerad user to winbindd_priv group also.
> > I also tried this setup:
> >
> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
> > Which looks a better way to do, but same results.
> >
> >
> > Im very gratefull on could help me out here of has ideas on
> best way to debug this.
> > Or is someone has a samba 4.9+ working with freeradius and
> if you could share you config, i can better look whats off.
> >
> > Thanks!
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
>
> --
> Dr. Christian Naumer
> Unit Head Bioprocess Development
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> fon +49-6251-9331-30 / fax +49-6251-9331-11
>
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
> Ludger Roedder
> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list