[Samba] NTLM refuses to work on a DC
Oleg Blyahher
oleg.blyahher at bluetest.se
Wed Nov 6 15:27:08 UTC 2019
Hi there,
I'm trying to get FreeRADIUS to authenticate against my Samba DC. It's
Samba 4.7.6-ubuntu running on Ubuntu 18 (kernel version
4.15.0-66-generic). It came nicely packaged with Zentyal, which provides
a nice GUI for managing a domain, as well as a CA and lots of cool small
features. That same Zentyal also includes support for FreeRADIUS (3.0.16).
This is my smb.conf:
[global]
workgroup = company
realm = INTERNAL.COMPANY.COM
netbios name = dc
server string = Zentyal Server
server role = dc
server role check:inhibit = yes
server services = -dns
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200
ntlm auth = yes
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
tls enabled = yes
tls keyfile = /var/lib/zentyal/conf/ssl/ssl.pem
tls certfile = /var/lib/zentyal/conf/ssl/ssl.pem
tls cafile =
interfaces = lo,ens3,ens9
bind interfaces only = yes
map to guest = Bad User
log level = 3
log file = /var/log/samba/samba.log
max log size = 100000
include = /etc/samba/shares.conf
[netlogon]
path = /var/lib/samba/sysvol/internal.company.com/scripts
browseable = no
read only = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = no
When I run the following, I get no problems whatsoever:
radtest domainuser userpassword localhost 0 secret123
(To those who are not familiar, radtest is a tool for testing
authentication on FreeRADIUS)
Also when I run the following:
ntlm_auth --request-nt-key --domain=COMPANY --username=domainuser
--password=userpassword
NT_STATUS_OK: The operation completed successfully. (0x0)
Same with wbinfo -a domainuser%userpassword. In both of these commands
NTLMv2 is being used.
However, if I try to run the following, I get an error:
radtest -t mschap domainuser userpassword localhost 0 secret123
This is what I see in my /var/log/samba/log.wb-COMPANY:
[2019/11/06 15:27:32.944109, 3]
../source3/winbindd/winbindd_pam.c:2138(winbindd_dual_pam_auth_crap)
[ 3096]: pam auth crap domain: COMPANY user: domainuser
[2019/11/06 15:27:32.944307, 3]
../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[COMPANY]\[domainuser]@[DC1] with the new password interface
[2019/11/06 15:27:32.944345, 3]
../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [COMPANY]\[domainuser]@[DC1]
[2019/11/06 15:27:32.950761, 3]
../source4/auth/ntlm/auth.c:240(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[COMPANY]\[domainuser]@[DC1]
auth_check_password_send: user is: [COMPANY]\[domainuser]@[DC1]
[2019/11/06 15:27:32.952257, 2]
../libcli/auth/ntlm_check.c:430(ntlm_password_check)
ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user domainuser
[2019/11/06 15:27:32.952306, 3]
../libcli/auth/ntlm_check.c:437(ntlm_password_check)
ntlm_password_check: NEITHER LanMan nor NT password supplied for user
domainuser
[2019/11/06 15:27:32.953703, 2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
auth_check_password_recv: sam authentication for user
[COMPANY\domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD,
authoritative=1
[2019/11/06 15:27:32.953814, 2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov
2019 15:27:32.953792 CET] with [NTLMv1] status
[NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host
[ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host
[ipv4:127.0.0.1:0]
[2019/11/06 15:27:32.954029, 2] ../auth/auth_log.c:220(log_json)
JSON Authentication: {"timestamp": "2019-11-06T15:27:32.953861+0100",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress":
"ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0",
"serviceDescription": "winbind", "authDescription": null,
"clientDomain": "COMPANY", "clientAccount": "domainuser", "workstation":
"DC1", "becameAccount": null, "becameDomain": null, "becameSid": "(NULL
SID)", "mappedAccount": "domainuser", "mappedDomain": "COMPANY",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv1"}}
[2019/11/06 15:27:32.954130, 3]
../auth/auth_log.c:139(get_auth_event_server)
get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2019/11/06 15:27:32.954240, 2]
../source3/auth/auth.c:332(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [domainuser] ->
[domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2019/11/06 15:27:32.954311, 2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov
2019 15:27:32.954299 CET] with [NTLMv1] status
[NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host
[ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host
[ipv4:127.0.0.1:0]
[2019/11/06 15:27:32.954380, 2] ../auth/auth_log.c:220(log_json)
JSON Authentication: {"timestamp": "2019-11-06T15:27:32.954338+0100",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress":
"ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0",
"serviceDescription": "winbind", "authDescription": null,
"clientDomain": "COMPANY", "clientAccount": "domainuser", "workstation":
"DC1", "becameAccount": null, "becameDomain": null, "becameSid": "(NULL
SID)", "mappedAccount": "domainuser", "mappedDomain": "COMPANY",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv1"}}
[2019/11/06 15:27:32.954479, 2]
../source3/winbindd/winbindd_pam.c:2108(winbind_dual_SamLogon)
NTLM CRAP authentication for user [COMPANY]\[domainuser] returned
NT_STATUS_WRONG_PASSWORD
The user freerad is added to the winbindd_priv group, and I've also
tried setting ntlm auth = mschapv2-and-ntlmv2-only, and right now it is
set to ntlm auth = yes
Any suggestions to how I can solve it? I am quite surprized that the
error I get in the end is NT_STATUS_WRONG_PASSWORD.
Thank you in advance, and let me know if I should include any other
information!
Oleg
More information about the samba
mailing list