[Samba] NTLM refuses to work on a DC

Oleg Blyahher oleg.blyahher at bluetest.se
Wed Nov 6 15:27:08 UTC 2019


Hi there,

I'm trying to get FreeRADIUS to authenticate against my Samba DC. It's 
Samba 4.7.6-ubuntu running on Ubuntu 18 (kernel version 
4.15.0-66-generic). It came nicely packaged with Zentyal, which provides 
a nice GUI for managing a domain, as well as a CA and lots of cool small 
features. That same Zentyal also includes support for FreeRADIUS (3.0.16).

This is my smb.conf:

[global]
     workgroup = company
     realm = INTERNAL.COMPANY.COM
     netbios name = dc

     server string = Zentyal Server

     server role = dc
     server role check:inhibit = yes
     server services = -dns
     server signing = auto
     dsdb:schema update allowed = yes
     ldap server require strong auth = no
     drs:max object sync = 1200
     ntlm auth = yes

     idmap_ldb:use rfc2307 = yes

     winbind enum users = yes
     winbind enum groups = yes
     template shell = /bin/bash
     template homedir = /home/%U

     tls enabled  = yes
     tls keyfile  = /var/lib/zentyal/conf/ssl/ssl.pem
     tls certfile = /var/lib/zentyal/conf/ssl/ssl.pem
     tls cafile   =

     interfaces = lo,ens3,ens9
     bind interfaces only = yes

     map to guest = Bad User

     log level = 3
     log file = /var/log/samba/samba.log
     max log size = 100000

     include = /etc/samba/shares.conf


[netlogon]
     path = /var/lib/samba/sysvol/internal.company.com/scripts
     browseable = no
     read only = yes

[sysvol]
     path = /var/lib/samba/sysvol
     read only = no

When I run the following, I get no problems whatsoever:

radtest domainuser userpassword localhost 0 secret123

(To those who are not familiar, radtest is a tool for testing 
authentication on FreeRADIUS)

Also when I run the following:

ntlm_auth --request-nt-key --domain=COMPANY --username=domainuser 
--password=userpassword

NT_STATUS_OK: The operation completed successfully. (0x0)


Same with wbinfo -a domainuser%userpassword. In both of these commands 
NTLMv2 is being used.


However, if I try to run the following, I get an error:

radtest -t mschap domainuser userpassword localhost 0 secret123

This is what I see in my /var/log/samba/log.wb-COMPANY:

[2019/11/06 15:27:32.944109,  3] 
../source3/winbindd/winbindd_pam.c:2138(winbindd_dual_pam_auth_crap)
   [ 3096]: pam auth crap domain: COMPANY user: domainuser
[2019/11/06 15:27:32.944307,  3] 
../source3/auth/auth.c:189(auth_check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user 
[COMPANY]\[domainuser]@[DC1] with the new password interface
[2019/11/06 15:27:32.944345,  3] 
../source3/auth/auth.c:192(auth_check_ntlm_password)
   check_ntlm_password:  mapped user is: [COMPANY]\[domainuser]@[DC1]
[2019/11/06 15:27:32.950761,  3] 
../source4/auth/ntlm/auth.c:240(auth_check_password_send)
   auth_check_password_send: Checking password for unmapped user 
[COMPANY]\[domainuser]@[DC1]
   auth_check_password_send: user is: [COMPANY]\[domainuser]@[DC1]
[2019/11/06 15:27:32.952257,  2] 
../libcli/auth/ntlm_check.c:430(ntlm_password_check)
   ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user domainuser
[2019/11/06 15:27:32.952306,  3] 
../libcli/auth/ntlm_check.c:437(ntlm_password_check)
   ntlm_password_check: NEITHER LanMan nor NT password supplied for user 
domainuser
[2019/11/06 15:27:32.953703,  2] 
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
   auth_check_password_recv: sam authentication for user 
[COMPANY\domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD, 
authoritative=1
[2019/11/06 15:27:32.953814,  2] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
   Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov 
2019 15:27:32.953792 CET] with [NTLMv1] status 
[NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host 
[ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host 
[ipv4:127.0.0.1:0]
[2019/11/06 15:27:32.954029,  2] ../auth/auth_log.c:220(log_json)
   JSON Authentication: {"timestamp": "2019-11-06T15:27:32.953861+0100", 
"type": "Authentication", "Authentication": {"version": {"major": 1, 
"minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": 
"ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0", 
"serviceDescription": "winbind", "authDescription": null, 
"clientDomain": "COMPANY", "clientAccount": "domainuser", "workstation": 
"DC1", "becameAccount": null, "becameDomain": null, "becameSid": "(NULL 
SID)", "mappedAccount": "domainuser", "mappedDomain": "COMPANY", 
"netlogonComputer": null, "netlogonTrustAccount": null, 
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, 
"netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv1"}}
[2019/11/06 15:27:32.954130,  3] 
../auth/auth_log.c:139(get_auth_event_server)
   get_auth_event_server: Failed to find 'auth_event' registered on the 
message bus to send JSON authentication events to: 
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2019/11/06 15:27:32.954240,  2] 
../source3/auth/auth.c:332(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [domainuser] -> 
[domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2019/11/06 15:27:32.954311,  2] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
   Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov 
2019 15:27:32.954299 CET] with [NTLMv1] status 
[NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host 
[ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host 
[ipv4:127.0.0.1:0]
[2019/11/06 15:27:32.954380,  2] ../auth/auth_log.c:220(log_json)
   JSON Authentication: {"timestamp": "2019-11-06T15:27:32.954338+0100", 
"type": "Authentication", "Authentication": {"version": {"major": 1, 
"minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": 
"ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0", 
"serviceDescription": "winbind", "authDescription": null, 
"clientDomain": "COMPANY", "clientAccount": "domainuser", "workstation": 
"DC1", "becameAccount": null, "becameDomain": null, "becameSid": "(NULL 
SID)", "mappedAccount": "domainuser", "mappedDomain": "COMPANY", 
"netlogonComputer": null, "netlogonTrustAccount": null, 
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, 
"netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv1"}}
[2019/11/06 15:27:32.954479,  2] 
../source3/winbindd/winbindd_pam.c:2108(winbind_dual_SamLogon)
   NTLM CRAP authentication for user [COMPANY]\[domainuser] returned 
NT_STATUS_WRONG_PASSWORD

The user freerad is added to the winbindd_priv group, and I've also 
tried setting ntlm auth = mschapv2-and-ntlmv2-only, and right now it is 
set to ntlm auth = yes

Any suggestions to how I can solve it? I am quite surprized that the 
error I get in the end is NT_STATUS_WRONG_PASSWORD.

Thank you in advance, and let me know if I should include any other 
information!

Oleg




More information about the samba mailing list