[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster

Christian Naumer cn at brain-biotech.de
Fri Aug 30 11:32:29 UTC 2019


Am 30.08.19 um 13:09 schrieb L.P.H. van Belle via samba:

> Now Christian, this failes for me. 
> radtest -t mschap 'NTDOM\username" 'passwd' localhost 0 testing 
> ( MS-CHAP-Error = "\000E=691 R=1 C=58f41f1a946ac94a V=2") 
> 
> So my question here is, are the username at REALM logins also working for you. 
> And are you using in smb.conf :  winbind use default domain = yes 

username at REALM does not work. However we do not use this.
And as it runs on the DC "winbind use default domain = yes " is the default.




> 
> But guys, sofar, im going very happy towards the weekend.. 
> 
> 
> Greetz, 
> 
> Louis
>  
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> Christian Naumer via samba
>> Verzonden: vrijdag 30 augustus 2019 12:53
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba 4.10.7 + freeradius 3.0.17 
>> +ntlm_auth - Debian buster
>>
>> We have this running but on a DC (Samba 4.10.7).
>>
>> we have this line in /etc/raddb/mods-enabled/mschap. Only this line!
>> DOMAIN is the actual netbio name of the domain.
>>
>>
>> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
>> --username=%{mschap:User-Name:-None} --domain=DOMAIN
>> --challenge=%{mschap:Challenge:-00} 
>> --nt-response=%{mschap:NT-Response:-00}"
>>
>>
>> Do you users login in with DOMAIN\user or just user? Ours do both.
>>
>> Freeradius version on our side is 3.0.13.
>>
>> Regards
>>
>>
>>
>> Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba:
>>> Hai, 
>>>  
>>> It does not happen often but yes, i also need some help as 
>> i cant know everything also and im new with freeradius. 
>>>
>>> Im working on a configuration for samba member + freeradius 
>> with ntlm_auth. 
>>> Why ntlm_auth, because the next one is kerberos and ldap 
>> auth to configure.. 
>>> I want to have some fallback options here and you have to 
>> start somewhere. 
>>>
>>> This is running on my new proxy/gateway server, which also 
>> uses ntlm_auth and that works fine.
>>>  
>>> Now, basicly this looks simple and should be but im missing 
>> something.
>>> so what im i doing, im following http://deployingradius.com/ 
>>> Followed these steps, that works out fine. 
>>> Then we goto : 
>> http://deployingradius.com/documents/configuration/active_dire
>> ctory.html 
>>>  
>>> for smb.conf i use the config i always us, pretty basic + i 
>> added (ass noted on the site) : 
>>>  ntlm auth = mschapv2-and-ntlmv2-only
>>>
>>> And offcourse i joined this server to the domain. 
>>>
>>> Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP 
>>> And i just can not get this to work. 
>>>
>>> What i notice.
>>>
>>> (0) Found Auth-Type = mschap
>>> (0) # Executing group from file 
>> /etc/freeradius/3.0/sites-enabled/default
>>> (0)   authenticate {
>>> (0) mschap: Client is using MS-CHAPv1 with NT-Password
>>> (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 
>> --request-nt-key 
>> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
>> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} 
>> --nt-response=%{%{mschap:NT-Response}:-00}:
>>> (0) mschap: EXPAND 
>> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
>>> (0) mschap:    --> --username=obell
>>> (0) mschap: mschap1: d4
>>> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
>>> (0) mschap:    --> --challenge=changedChallenge
>>> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
>>> (0) mschap:    --> --nt-response=ChangedResponce
>>> (0) mschap: ERROR: Program returned code (1) and output 
>> 'The attempted logon is invalid. This is either due to a bad 
>> username or authentication information. (0xc000006d)'
>>> (0) mschap: External script failed
>>> (0) mschap: ERROR: External script says: The attempted 
>> logon is invalid. This is either due to a bad username or 
>> authentication information. (0xc000006d)
>>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
>>> (0)     [mschap] = reject
>>>
>>> What is not clear here to me is . 
>>>
>>> I test :  radtest -t mschap myusername 'MyPass!' localhost 
>> 0 testing123-1
>>>
>>> Responce: 
>>> (1) mschap: Client is using MS-CHAPv1 with NT-Password
>>> Then im thinking why chap-v1.
>>>
>>> Im thinking im sending with : --allow-mschapv2  << mschap V2 
>>>
>>> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \
>>>  --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \
>>>  --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \
>>>  --nt-response=%{%{mschap:NT-Response}:-00}" 
>>>
>>> In the end all tests result in : 
>>>
>>> (4)   MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2" 
>>>
>>> Testing with : 
>>> ntlm_auth --allow-mschapv2 --username=myusername 
>> --challenge=0x....  --nt-response=0xx... 
>>> Returns : The attempted logon is invalid. This is either 
>> due to a bad username or authentication information. (0xc000006d) 
>>>
>>> So if someone has an idea whats going on/where to look? 
>>> Its most probely something simple what i not seeing.. 
>>>
>>> I did add freerad user to winbindd_priv group also.
>>> I also tried this setup:
>>>
>> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind 
>>> Which looks a better way to do, but same results. 
>>>
>>>
>>> Im very gratefull on could help me out here of has ideas on 
>> best way to debug this. 
>>> Or is someone has a samba 4.9+ working with freeradius and 
>> if you could share you config, i can better look whats off. 
>>>
>>> Thanks! 
>>>
>>>
>>> Greetz, 
>>>
>>> Louis
>>>
>>>
>>>
>>
>> -- 
>> Dr. Christian Naumer
>> Unit Head Bioprocess Development
>> B.R.A.I.N Aktiengesellschaft
>> Darmstaedter Str. 34-36, D-64673 Zwingenberg
>> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
>> fon +49-6251-9331-30  /   fax +49-6251-9331-11
>>
>> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
>> Registergericht AG Darmstadt, HRB 24758
>> Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
>> Ludger Roedder
>> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> 
> 

-- 
Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen



More information about the samba mailing list