[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster

L.P.H. van Belle belle at bazuin.nl
Fri Aug 30 11:56:52 UTC 2019 

Ok, so resume of the working info you guys gave me. 

If running freeradius on AD-DC. 
where : winbind use default domain = yes is not working on AD-DC, its always no. 
See output of wbinfo -u  

You can login with : username or NTDOM\username. 
test : radtest -t mschap 'NTDOM\username' 'password' localhost 0 testing123
test : radtest -t mschap 'username' 'password' localhost 0 testing123

If running freeradius on AD-Member
where : winbind use default domain = yes is working. 
See output of wbinfo -u 

You can login with : username or username at REALM 
test : radtest -t mschap 'username' 'password' localhost 0 testing123
test : radtest -t mschap 'username at REALM' 'password' localhost 0 testing123

Do note on the REALM. 
I notice, and maybe a few here can verify this. 

If realm is set as : 
[libdefaults]
        default_realm = internal.domain.tld 

Trying to login with : username at INTERNAL.DOMAIN.TLD does not work. 
You must match CAPS/non-caps in REALM. 

And : ntlm auth = mschapv2-and-ntlmv2-only  must be set on all servers where its needed. 
The member and ALL the AD-DC's. 

Respect this and then "it just works"  :-) 


So far,

Greetz, 

Louis







 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Christian Naumer via samba
> Verzonden: vrijdag 30 augustus 2019 13:32
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.10.7 + freeradius 3.0.17 
> +ntlm_auth - Debian buster
> 
> Am 30.08.19 um 13:09 schrieb L.P.H. van Belle via samba:
> 
> > Now Christian, this failes for me. 
> > radtest -t mschap 'NTDOM\username" 'passwd' localhost 0 testing 
> > ( MS-CHAP-Error = "\000E=691 R=1 C=58f41f1a946ac94a V=2") 
> > 
> > So my question here is, are the username at REALM logins also 
> working for you. 
> > And are you using in smb.conf :  winbind use default domain = yes 
> 
> username at REALM does not work. However we do not use this.
> And as it runs on the DC "winbind use default domain = yes " 
> is the default.
> 
> 
> 
> 
> > 
> > But guys, sofar, im going very happy towards the weekend.. 
> > 
> > 
> > Greetz, 
> > 
> > Louis
> >  
> > 
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> >> Christian Naumer via samba
> >> Verzonden: vrijdag 30 augustus 2019 12:53
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Samba 4.10.7 + freeradius 3.0.17 
> >> +ntlm_auth - Debian buster
> >>
> >> We have this running but on a DC (Samba 4.10.7).
> >>
> >> we have this line in /etc/raddb/mods-enabled/mschap. Only 
> this line!
> >> DOMAIN is the actual netbio name of the domain.
> >>
> >>
> >> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
> >> --username=%{mschap:User-Name:-None} --domain=DOMAIN
> >> --challenge=%{mschap:Challenge:-00} 
> >> --nt-response=%{mschap:NT-Response:-00}"
> >>
> >>
> >> Do you users login in with DOMAIN\user or just user? Ours do both.
> >>
> >> Freeradius version on our side is 3.0.13.
> >>
> >> Regards
> >>
> >>
> >>
> >> Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba:
> >>> Hai, 
> >>>  
> >>> It does not happen often but yes, i also need some help as 
> >> i cant know everything also and im new with freeradius. 
> >>>
> >>> Im working on a configuration for samba member + freeradius 
> >> with ntlm_auth. 
> >>> Why ntlm_auth, because the next one is kerberos and ldap 
> >> auth to configure.. 
> >>> I want to have some fallback options here and you have to 
> >> start somewhere. 
> >>>
> >>> This is running on my new proxy/gateway server, which also 
> >> uses ntlm_auth and that works fine.
> >>>  
> >>> Now, basicly this looks simple and should be but im missing 
> >> something.
> >>> so what im i doing, im following http://deployingradius.com/ 
> >>> Followed these steps, that works out fine. 
> >>> Then we goto : 
> >> http://deployingradius.com/documents/configuration/active_dire
> >> ctory.html 
> >>>  
> >>> for smb.conf i use the config i always us, pretty basic + i 
> >> added (ass noted on the site) : 
> >>>  ntlm auth = mschapv2-and-ntlmv2-only
> >>>
> >>> And offcourse i joined this server to the domain. 
> >>>
> >>> Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP 
> >>> And i just can not get this to work. 
> >>>
> >>> What i notice.
> >>>
> >>> (0) Found Auth-Type = mschap
> >>> (0) # Executing group from file 
> >> /etc/freeradius/3.0/sites-enabled/default
> >>> (0)   authenticate {
> >>> (0) mschap: Client is using MS-CHAPv1 with NT-Password
> >>> (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 
> >> --request-nt-key 
> >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
> >> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} 
> >> --nt-response=%{%{mschap:NT-Response}:-00}:
> >>> (0) mschap: EXPAND 
> >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> >>> (0) mschap:    --> --username=obell
> >>> (0) mschap: mschap1: d4
> >>> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> >>> (0) mschap:    --> --challenge=changedChallenge
> >>> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> >>> (0) mschap:    --> --nt-response=ChangedResponce
> >>> (0) mschap: ERROR: Program returned code (1) and output 
> >> 'The attempted logon is invalid. This is either due to a bad 
> >> username or authentication information. (0xc000006d)'
> >>> (0) mschap: External script failed
> >>> (0) mschap: ERROR: External script says: The attempted 
> >> logon is invalid. This is either due to a bad username or 
> >> authentication information. (0xc000006d)
> >>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> >>> (0)     [mschap] = reject
> >>>
> >>> What is not clear here to me is . 
> >>>
> >>> I test :  radtest -t mschap myusername 'MyPass!' localhost 
> >> 0 testing123-1
> >>>
> >>> Responce: 
> >>> (1) mschap: Client is using MS-CHAPv1 with NT-Password
> >>> Then im thinking why chap-v1.
> >>>
> >>> Im thinking im sending with : --allow-mschapv2  << mschap V2 
> >>>
> >>> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 
> --request-nt-key \
> >>>  --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \
> >>>  --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \
> >>>  --nt-response=%{%{mschap:NT-Response}:-00}" 
> >>>
> >>> In the end all tests result in : 
> >>>
> >>> (4)   MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2" 
> >>>
> >>> Testing with : 
> >>> ntlm_auth --allow-mschapv2 --username=myusername 
> >> --challenge=0x....  --nt-response=0xx... 
> >>> Returns : The attempted logon is invalid. This is either 
> >> due to a bad username or authentication information. (0xc000006d) 
> >>>
> >>> So if someone has an idea whats going on/where to look? 
> >>> Its most probely something simple what i not seeing.. 
> >>>
> >>> I did add freerad user to winbindd_priv group also.
> >>> I also tried this setup:
> >>>
> >> 
> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind 
> >>> Which looks a better way to do, but same results. 
> >>>
> >>>
> >>> Im very gratefull on could help me out here of has ideas on 
> >> best way to debug this. 
> >>> Or is someone has a samba 4.9+ working with freeradius and 
> >> if you could share you config, i can better look whats off. 
> >>>
> >>> Thanks! 
> >>>
> >>>
> >>> Greetz, 
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>
> >> -- 
> >> Dr. Christian Naumer
> >> Unit Head Bioprocess Development
> >> B.R.A.I.N Aktiengesellschaft
> >> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> >> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> >> fon +49-6251-9331-30  /   fax +49-6251-9331-11
> >>
> >> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> >> Registergericht AG Darmstadt, HRB 24758
> >> Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
> >> Ludger Roedder
> >> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> > 
> > 
> 
> -- 
> Dr. Christian Naumer
> Unit Head Bioprocess Development
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> fon +49-6251-9331-30  /   fax +49-6251-9331-11
> 
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
> Ludger Roedder
> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list