[Samba] NTLM refuses to work on a DC

Oleg Blyahher oleg.blyahher at bluetest.se
Wed Nov 6 16:10:33 UTC 2019 

Thank you so much Louis!

Adding "--allow-mschav2" to /etc/freeradius/3.0/mods-enabled/mschap 
solved it!

i.e.

ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
--challenge=%{%{mschap:Challenge}:-00} 
--nt-response=%{%{mschap:NT-Response}:-00}"

Just like the Samba documentation states it...

All the best,

On 2019-11-06 16:44, L.P.H. van Belle wrote:
> Hai,
>
> Have you seen :
> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>
>
> Test with :
> ntlm_auth --allow-mschapv2 --request-nt-key --domain=COMPANY --username=domainuser --password=userpassword
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oleg
>> Blyahher via samba
>> Verzonden: woensdag 6 november 2019 16:27
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] NTLM refuses to work on a DC
>>
>> Hi there,
>>
>> I'm trying to get FreeRADIUS to authenticate against my Samba
>> DC. It's
>> Samba 4.7.6-ubuntu running on Ubuntu 18 (kernel version
>> 4.15.0-66-generic). It came nicely packaged with Zentyal,
>> which provides
>> a nice GUI for managing a domain, as well as a CA and lots of
>> cool small
>> features. That same Zentyal also includes support for
>> FreeRADIUS (3.0.16).
>>
>> This is my smb.conf:
>>
>> [global]
>>       workgroup = company
>>       realm = INTERNAL.COMPANY.COM
>>       netbios name = dc
>>
>>       server string = Zentyal Server
>>
>>       server role = dc
>>       server role check:inhibit = yes
>>       server services = -dns
>>       server signing = auto
>>       dsdb:schema update allowed = yes
>>       ldap server require strong auth = no
>>       drs:max object sync = 1200
>>       ntlm auth = yes
>>
>>       idmap_ldb:use rfc2307 = yes
>>
>>       winbind enum users = yes
>>       winbind enum groups = yes
>>       template shell = /bin/bash
>>       template homedir = /home/%U
>>
>>       tls enabled  = yes
>>       tls keyfile  = /var/lib/zentyal/conf/ssl/ssl.pem
>>       tls certfile = /var/lib/zentyal/conf/ssl/ssl.pem
>>       tls cafile   =
>>
>>       interfaces = lo,ens3,ens9
>>       bind interfaces only = yes
>>
>>       map to guest = Bad User
>>
>>       log level = 3
>>       log file = /var/log/samba/samba.log
>>       max log size = 100000
>>
>>       include = /etc/samba/shares.conf
>>
>>
>> [netlogon]
>>       path = /var/lib/samba/sysvol/internal.company.com/scripts
>>       browseable = no
>>       read only = yes
>>
>> [sysvol]
>>       path = /var/lib/samba/sysvol
>>       read only = no
>>
>> When I run the following, I get no problems whatsoever:
>>
>> radtest domainuser userpassword localhost 0 secret123
>>
>> (To those who are not familiar, radtest is a tool for testing
>> authentication on FreeRADIUS)
>>
>> Also when I run the following:
>>
>> ntlm_auth --request-nt-key --domain=COMPANY --username=domainuser
>> --password=userpassword
>>
>> NT_STATUS_OK: The operation completed successfully. (0x0)
>>
>>
>> Same with wbinfo -a domainuser%userpassword. In both of these
>> commands
>> NTLMv2 is being used.
>>
>>
>> However, if I try to run the following, I get an error:
>>
>> radtest -t mschap domainuser userpassword localhost 0 secret123
>>
>> This is what I see in my /var/log/samba/log.wb-COMPANY:
>>
>> [2019/11/06 15:27:32.944109,  3]
>> ../source3/winbindd/winbindd_pam.c:2138(winbindd_dual_pam_auth_crap)
>>     [ 3096]: pam auth crap domain: COMPANY user: domainuser
>> [2019/11/06 15:27:32.944307,  3]
>> ../source3/auth/auth.c:189(auth_check_ntlm_password)
>>     check_ntlm_password:  Checking password for unmapped user
>> [COMPANY]\[domainuser]@[DC1] with the new password interface
>> [2019/11/06 15:27:32.944345,  3]
>> ../source3/auth/auth.c:192(auth_check_ntlm_password)
>>     check_ntlm_password:  mapped user is: [COMPANY]\[domainuser]@[DC1]
>> [2019/11/06 15:27:32.950761,  3]
>> ../source4/auth/ntlm/auth.c:240(auth_check_password_send)
>>     auth_check_password_send: Checking password for unmapped user
>> [COMPANY]\[domainuser]@[DC1]
>>     auth_check_password_send: user is: [COMPANY]\[domainuser]@[DC1]
>> [2019/11/06 15:27:32.952257,  2]
>> ../libcli/auth/ntlm_check.c:430(ntlm_password_check)
>>     ntlm_password_check: NTLMv1 passwords NOT PERMITTED for
>> user domainuser
>> [2019/11/06 15:27:32.952306,  3]
>> ../libcli/auth/ntlm_check.c:437(ntlm_password_check)
>>     ntlm_password_check: NEITHER LanMan nor NT password
>> supplied for user
>> domainuser
>> [2019/11/06 15:27:32.953703,  2]
>> ../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
>>     auth_check_password_recv: sam authentication for user
>> [COMPANY\domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD,
>> authoritative=1
>> [2019/11/06 15:27:32.953814,  2]
>> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>>     Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov
>> 2019 15:27:32.953792 CET] with [NTLMv1] status
>> [NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host
>> [ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host
>> [ipv4:127.0.0.1:0]
>> [2019/11/06 15:27:32.954029,  2] ../auth/auth_log.c:220(log_json)
>>     JSON Authentication: {"timestamp":
>> "2019-11-06T15:27:32.953861+0100",
>> "type": "Authentication", "Authentication": {"version": {"major": 1,
>> "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress":
>> "ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0",
>> "serviceDescription": "winbind", "authDescription": null,
>> "clientDomain": "COMPANY", "clientAccount": "domainuser",
>> "workstation":
>> "DC1", "becameAccount": null, "becameDomain": null,
>> "becameSid": "(NULL
>> SID)", "mappedAccount": "domainuser", "mappedDomain": "COMPANY",
>> "netlogonComputer": null, "netlogonTrustAccount": null,
>> "netlogonNegotiateFlags": "0x00000000",
>> "netlogonSecureChannelType": 0,
>> "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv1"}}
>> [2019/11/06 15:27:32.954130,  3]
>> ../auth/auth_log.c:139(get_auth_event_server)
>>     get_auth_event_server: Failed to find 'auth_event'
>> registered on the
>> message bus to send JSON authentication events to:
>> NT_STATUS_OBJECT_NAME_NOT_FOUND
>> [2019/11/06 15:27:32.954240,  2]
>> ../source3/auth/auth.c:332(auth_check_ntlm_password)
>>     check_ntlm_password:  Authentication for user [domainuser] ->
>> [domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD,
>> authoritative=1
>> [2019/11/06 15:27:32.954311,  2]
>> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>>     Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov
>> 2019 15:27:32.954299 CET] with [NTLMv1] status
>> [NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host
>> [ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host
>> [ipv4:127.0.0.1:0]
>> [2019/11/06 15:27:32.954380,  2] ../auth/auth_log.c:220(log_json)
>>     JSON Authentication: {"timestamp":
>> "2019-11-06T15:27:32.954338+0100",
>> "type": "Authentication", "Authentication": {"version": {"major": 1,
>> "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress":
>> "ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0",
>> "serviceDescription": "winbind", "authDescription": null,
>> "clientDomain": "COMPANY", "clientAccount": "domainuser",
>> "workstation":
>> "DC1", "becameAccount": null, "becameDomain": null,
>> "becameSid": "(NULL
>> SID)", "mappedAccount": "domainuser", "mappedDomain": "COMPANY",
>> "netlogonComputer": null, "netlogonTrustAccount": null,
>> "netlogonNegotiateFlags": "0x00000000",
>> "netlogonSecureChannelType": 0,
>> "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv1"}}
>> [2019/11/06 15:27:32.954479,  2]
>> ../source3/winbindd/winbindd_pam.c:2108(winbind_dual_SamLogon)
>>     NTLM CRAP authentication for user [COMPANY]\[domainuser] returned
>> NT_STATUS_WRONG_PASSWORD
>>
>> The user freerad is added to the winbindd_priv group, and I've also
>> tried setting ntlm auth = mschapv2-and-ntlmv2-only, and right
>> now it is
>> set to ntlm auth = yes
>>
>> Any suggestions to how I can solve it? I am quite surprized that the
>> error I get in the end is NT_STATUS_WRONG_PASSWORD.
>>
>> Thank you in advance, and let me know if I should include any other
>> information!
>>
>> Oleg
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

More information about the samba mailing list