[Samba] NTLM refuses to work on a DC
L.P.H. van Belle
belle at bazuin.nl
Wed Nov 6 15:44:11 UTC 2019
Hai,
Have you seen :
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
Test with :
ntlm_auth --allow-mschapv2 --request-nt-key --domain=COMPANY --username=domainuser --password=userpassword
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oleg
> Blyahher via samba
> Verzonden: woensdag 6 november 2019 16:27
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] NTLM refuses to work on a DC
>
> Hi there,
>
> I'm trying to get FreeRADIUS to authenticate against my Samba
> DC. It's
> Samba 4.7.6-ubuntu running on Ubuntu 18 (kernel version
> 4.15.0-66-generic). It came nicely packaged with Zentyal,
> which provides
> a nice GUI for managing a domain, as well as a CA and lots of
> cool small
> features. That same Zentyal also includes support for
> FreeRADIUS (3.0.16).
>
> This is my smb.conf:
>
> [global]
> workgroup = company
> realm = INTERNAL.COMPANY.COM
> netbios name = dc
>
> server string = Zentyal Server
>
> server role = dc
> server role check:inhibit = yes
> server services = -dns
> server signing = auto
> dsdb:schema update allowed = yes
> ldap server require strong auth = no
> drs:max object sync = 1200
> ntlm auth = yes
>
> idmap_ldb:use rfc2307 = yes
>
> winbind enum users = yes
> winbind enum groups = yes
> template shell = /bin/bash
> template homedir = /home/%U
>
> tls enabled = yes
> tls keyfile = /var/lib/zentyal/conf/ssl/ssl.pem
> tls certfile = /var/lib/zentyal/conf/ssl/ssl.pem
> tls cafile =
>
> interfaces = lo,ens3,ens9
> bind interfaces only = yes
>
> map to guest = Bad User
>
> log level = 3
> log file = /var/log/samba/samba.log
> max log size = 100000
>
> include = /etc/samba/shares.conf
>
>
> [netlogon]
> path = /var/lib/samba/sysvol/internal.company.com/scripts
> browseable = no
> read only = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = no
>
> When I run the following, I get no problems whatsoever:
>
> radtest domainuser userpassword localhost 0 secret123
>
> (To those who are not familiar, radtest is a tool for testing
> authentication on FreeRADIUS)
>
> Also when I run the following:
>
> ntlm_auth --request-nt-key --domain=COMPANY --username=domainuser
> --password=userpassword
>
> NT_STATUS_OK: The operation completed successfully. (0x0)
>
>
> Same with wbinfo -a domainuser%userpassword. In both of these
> commands
> NTLMv2 is being used.
>
>
> However, if I try to run the following, I get an error:
>
> radtest -t mschap domainuser userpassword localhost 0 secret123
>
> This is what I see in my /var/log/samba/log.wb-COMPANY:
>
> [2019/11/06 15:27:32.944109, 3]
> ../source3/winbindd/winbindd_pam.c:2138(winbindd_dual_pam_auth_crap)
> [ 3096]: pam auth crap domain: COMPANY user: domainuser
> [2019/11/06 15:27:32.944307, 3]
> ../source3/auth/auth.c:189(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [COMPANY]\[domainuser]@[DC1] with the new password interface
> [2019/11/06 15:27:32.944345, 3]
> ../source3/auth/auth.c:192(auth_check_ntlm_password)
> check_ntlm_password: mapped user is: [COMPANY]\[domainuser]@[DC1]
> [2019/11/06 15:27:32.950761, 3]
> ../source4/auth/ntlm/auth.c:240(auth_check_password_send)
> auth_check_password_send: Checking password for unmapped user
> [COMPANY]\[domainuser]@[DC1]
> auth_check_password_send: user is: [COMPANY]\[domainuser]@[DC1]
> [2019/11/06 15:27:32.952257, 2]
> ../libcli/auth/ntlm_check.c:430(ntlm_password_check)
> ntlm_password_check: NTLMv1 passwords NOT PERMITTED for
> user domainuser
> [2019/11/06 15:27:32.952306, 3]
> ../libcli/auth/ntlm_check.c:437(ntlm_password_check)
> ntlm_password_check: NEITHER LanMan nor NT password
> supplied for user
> domainuser
> [2019/11/06 15:27:32.953703, 2]
> ../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
> auth_check_password_recv: sam authentication for user
> [COMPANY\domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD,
> authoritative=1
> [2019/11/06 15:27:32.953814, 2]
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
> Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov
> 2019 15:27:32.953792 CET] with [NTLMv1] status
> [NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host
> [ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host
> [ipv4:127.0.0.1:0]
> [2019/11/06 15:27:32.954029, 2] ../auth/auth_log.c:220(log_json)
> JSON Authentication: {"timestamp":
> "2019-11-06T15:27:32.953861+0100",
> "type": "Authentication", "Authentication": {"version": {"major": 1,
> "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress":
> "ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0",
> "serviceDescription": "winbind", "authDescription": null,
> "clientDomain": "COMPANY", "clientAccount": "domainuser",
> "workstation":
> "DC1", "becameAccount": null, "becameDomain": null,
> "becameSid": "(NULL
> SID)", "mappedAccount": "domainuser", "mappedDomain": "COMPANY",
> "netlogonComputer": null, "netlogonTrustAccount": null,
> "netlogonNegotiateFlags": "0x00000000",
> "netlogonSecureChannelType": 0,
> "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv1"}}
> [2019/11/06 15:27:32.954130, 3]
> ../auth/auth_log.c:139(get_auth_event_server)
> get_auth_event_server: Failed to find 'auth_event'
> registered on the
> message bus to send JSON authentication events to:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2019/11/06 15:27:32.954240, 2]
> ../source3/auth/auth.c:332(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [domainuser] ->
> [domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD,
> authoritative=1
> [2019/11/06 15:27:32.954311, 2]
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
> Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov
> 2019 15:27:32.954299 CET] with [NTLMv1] status
> [NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host
> [ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host
> [ipv4:127.0.0.1:0]
> [2019/11/06 15:27:32.954380, 2] ../auth/auth_log.c:220(log_json)
> JSON Authentication: {"timestamp":
> "2019-11-06T15:27:32.954338+0100",
> "type": "Authentication", "Authentication": {"version": {"major": 1,
> "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress":
> "ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0",
> "serviceDescription": "winbind", "authDescription": null,
> "clientDomain": "COMPANY", "clientAccount": "domainuser",
> "workstation":
> "DC1", "becameAccount": null, "becameDomain": null,
> "becameSid": "(NULL
> SID)", "mappedAccount": "domainuser", "mappedDomain": "COMPANY",
> "netlogonComputer": null, "netlogonTrustAccount": null,
> "netlogonNegotiateFlags": "0x00000000",
> "netlogonSecureChannelType": 0,
> "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv1"}}
> [2019/11/06 15:27:32.954479, 2]
> ../source3/winbindd/winbindd_pam.c:2108(winbind_dual_SamLogon)
> NTLM CRAP authentication for user [COMPANY]\[domainuser] returned
> NT_STATUS_WRONG_PASSWORD
>
> The user freerad is added to the winbindd_priv group, and I've also
> tried setting ntlm auth = mschapv2-and-ntlmv2-only, and right
> now it is
> set to ntlm auth = yes
>
> Any suggestions to how I can solve it? I am quite surprized that the
> error I get in the end is NT_STATUS_WRONG_PASSWORD.
>
> Thank you in advance, and let me know if I should include any other
> information!
>
> Oleg
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list