[Samba] NTLM refuses to work on a DC
Oleg Blyahher
oleg.blyahher at bluetest.se
Wed Nov 6 16:10:33 UTC 2019
Thank you so much Louis!
Adding "--allow-mschav2" to /etc/freeradius/3.0/mods-enabled/mschap
solved it!
i.e.
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
Just like the Samba documentation states it...
All the best,
On 2019-11-06 16:44, L.P.H. van Belle wrote:
> Hai,
>
> Have you seen :
> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>
>
> Test with :
> ntlm_auth --allow-mschapv2 --request-nt-key --domain=COMPANY --username=domainuser --password=userpassword
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oleg
>> Blyahher via samba
>> Verzonden: woensdag 6 november 2019 16:27
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] NTLM refuses to work on a DC
>>
>> Hi there,
>>
>> I'm trying to get FreeRADIUS to authenticate against my Samba
>> DC. It's
>> Samba 4.7.6-ubuntu running on Ubuntu 18 (kernel version
>> 4.15.0-66-generic). It came nicely packaged with Zentyal,
>> which provides
>> a nice GUI for managing a domain, as well as a CA and lots of
>> cool small
>> features. That same Zentyal also includes support for
>> FreeRADIUS (3.0.16).
>>
>> This is my smb.conf:
>>
>> [global]
>> workgroup = company
>> realm = INTERNAL.COMPANY.COM
>> netbios name = dc
>>
>> server string = Zentyal Server
>>
>> server role = dc
>> server role check:inhibit = yes
>> server services = -dns
>> server signing = auto
>> dsdb:schema update allowed = yes
>> ldap server require strong auth = no
>> drs:max object sync = 1200
>> ntlm auth = yes
>>
>> idmap_ldb:use rfc2307 = yes
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>> template shell = /bin/bash
>> template homedir = /home/%U
>>
>> tls enabled = yes
>> tls keyfile = /var/lib/zentyal/conf/ssl/ssl.pem
>> tls certfile = /var/lib/zentyal/conf/ssl/ssl.pem
>> tls cafile =
>>
>> interfaces = lo,ens3,ens9
>> bind interfaces only = yes
>>
>> map to guest = Bad User
>>
>> log level = 3
>> log file = /var/log/samba/samba.log
>> max log size = 100000
>>
>> include = /etc/samba/shares.conf
>>
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/internal.company.com/scripts
>> browseable = no
>> read only = yes
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = no
>>
>> When I run the following, I get no problems whatsoever:
>>
>> radtest domainuser userpassword localhost 0 secret123
>>
>> (To those who are not familiar, radtest is a tool for testing
>> authentication on FreeRADIUS)
>>
>> Also when I run the following:
>>
>> ntlm_auth --request-nt-key --domain=COMPANY --username=domainuser
>> --password=userpassword
>>
>> NT_STATUS_OK: The operation completed successfully. (0x0)
>>
>>
>> Same with wbinfo -a domainuser%userpassword. In both of these
>> commands
>> NTLMv2 is being used.
>>
>>
>> However, if I try to run the following, I get an error:
>>
>> radtest -t mschap domainuser userpassword localhost 0 secret123
>>
>> This is what I see in my /var/log/samba/log.wb-COMPANY:
>>
>> [2019/11/06 15:27:32.944109, 3]
>> ../source3/winbindd/winbindd_pam.c:2138(winbindd_dual_pam_auth_crap)
>> [ 3096]: pam auth crap domain: COMPANY user: domainuser
>> [2019/11/06 15:27:32.944307, 3]
>> ../source3/auth/auth.c:189(auth_check_ntlm_password)
>> check_ntlm_password: Checking password for unmapped user
>> [COMPANY]\[domainuser]@[DC1] with the new password interface
>> [2019/11/06 15:27:32.944345, 3]
>> ../source3/auth/auth.c:192(auth_check_ntlm_password)
>> check_ntlm_password: mapped user is: [COMPANY]\[domainuser]@[DC1]
>> [2019/11/06 15:27:32.950761, 3]
>> ../source4/auth/ntlm/auth.c:240(auth_check_password_send)
>> auth_check_password_send: Checking password for unmapped user
>> [COMPANY]\[domainuser]@[DC1]
>> auth_check_password_send: user is: [COMPANY]\[domainuser]@[DC1]
>> [2019/11/06 15:27:32.952257, 2]
>> ../libcli/auth/ntlm_check.c:430(ntlm_password_check)
>> ntlm_password_check: NTLMv1 passwords NOT PERMITTED for
>> user domainuser
>> [2019/11/06 15:27:32.952306, 3]
>> ../libcli/auth/ntlm_check.c:437(ntlm_password_check)
>> ntlm_password_check: NEITHER LanMan nor NT password
>> supplied for user
>> domainuser
>> [2019/11/06 15:27:32.953703, 2]
>> ../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
>> auth_check_password_recv: sam authentication for user
>> [COMPANY\domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD,
>> authoritative=1
>> [2019/11/06 15:27:32.953814, 2]
>> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>> Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov
>> 2019 15:27:32.953792 CET] with [NTLMv1] status
>> [NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host
>> [ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host
>> [ipv4:127.0.0.1:0]
>> [2019/11/06 15:27:32.954029, 2] ../auth/auth_log.c:220(log_json)
>> JSON Authentication: {"timestamp":
>> "2019-11-06T15:27:32.953861+0100",
>> "type": "Authentication", "Authentication": {"version": {"major": 1,
>> "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress":
>> "ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0",
>> "serviceDescription": "winbind", "authDescription": null,
>> "clientDomain": "COMPANY", "clientAccount": "domainuser",
>> "workstation":
>> "DC1", "becameAccount": null, "becameDomain": null,
>> "becameSid": "(NULL
>> SID)", "mappedAccount": "domainuser", "mappedDomain": "COMPANY",
>> "netlogonComputer": null, "netlogonTrustAccount": null,
>> "netlogonNegotiateFlags": "0x00000000",
>> "netlogonSecureChannelType": 0,
>> "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv1"}}
>> [2019/11/06 15:27:32.954130, 3]
>> ../auth/auth_log.c:139(get_auth_event_server)
>> get_auth_event_server: Failed to find 'auth_event'
>> registered on the
>> message bus to send JSON authentication events to:
>> NT_STATUS_OBJECT_NAME_NOT_FOUND
>> [2019/11/06 15:27:32.954240, 2]
>> ../source3/auth/auth.c:332(auth_check_ntlm_password)
>> check_ntlm_password: Authentication for user [domainuser] ->
>> [domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD,
>> authoritative=1
>> [2019/11/06 15:27:32.954311, 2]
>> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>> Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov
>> 2019 15:27:32.954299 CET] with [NTLMv1] status
>> [NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host
>> [ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host
>> [ipv4:127.0.0.1:0]
>> [2019/11/06 15:27:32.954380, 2] ../auth/auth_log.c:220(log_json)
>> JSON Authentication: {"timestamp":
>> "2019-11-06T15:27:32.954338+0100",
>> "type": "Authentication", "Authentication": {"version": {"major": 1,
>> "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress":
>> "ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0",
>> "serviceDescription": "winbind", "authDescription": null,
>> "clientDomain": "COMPANY", "clientAccount": "domainuser",
>> "workstation":
>> "DC1", "becameAccount": null, "becameDomain": null,
>> "becameSid": "(NULL
>> SID)", "mappedAccount": "domainuser", "mappedDomain": "COMPANY",
>> "netlogonComputer": null, "netlogonTrustAccount": null,
>> "netlogonNegotiateFlags": "0x00000000",
>> "netlogonSecureChannelType": 0,
>> "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv1"}}
>> [2019/11/06 15:27:32.954479, 2]
>> ../source3/winbindd/winbindd_pam.c:2108(winbind_dual_SamLogon)
>> NTLM CRAP authentication for user [COMPANY]\[domainuser] returned
>> NT_STATUS_WRONG_PASSWORD
>>
>> The user freerad is added to the winbindd_priv group, and I've also
>> tried setting ntlm auth = mschapv2-and-ntlmv2-only, and right
>> now it is
>> set to ntlm auth = yes
>>
>> Any suggestions to how I can solve it? I am quite surprized that the
>> error I get in the end is NT_STATUS_WRONG_PASSWORD.
>>
>> Thank you in advance, and let me know if I should include any other
>> information!
>>
>> Oleg
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
More information about the samba
mailing list