[Samba] problems after migrating NT domain to AD (samba 4.7.x)
Bartłomiej Solarz-Niesłuchowski
Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
Sat Sep 28 18:40:21 UTC 2019
Dear List,
My domain +/- works, so I try to fix rest services based on domain NT/AD....
I use WiFi authorization with PEAP/MSCHAPv2 + freeradius (before
migration it works).
And after migration autorization does not work.
Freeradius server is on samba domain member.
So i check domain connectivity:
[root at see-you-later samba]# net ads testjoin
Join is OK
[root at see-you-later samba]# wbinfo -a test%XXXX
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root at see-you-later samba]# wbinfo -g
here list of domain group
smb.conf
[global]
dos charset = CP852
unix charset = UTF8
workgroup = WSISIZ.EDU.PL
realm = ad.wsisiz.edu.pl
server role = member server
security = ads
allow trusted domains = No
log level = 0
time server = Yes
deadtime = 60
hostname lookups = Yes
printcap cache time = 600
printcap name = cups
wins support = Yes
remote browse sync = oxygene.ibspan.waw.pl antarctica china
direct odyssey
winbind use default domain = Yes
create mask = 0644
inherit acls = Yes
remote browse sync = oceanic.wsisiz.edu.pl
create mask = 0644
hosts allow = 127., 213.135.34.0/255.255.255.0,
213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0,
2001:1a68:a::/48, ::1
hide dot files = No
ea support = Yes
map acl inherit = Yes
cups options = raw
hide dot files = No
store dos attributes = Yes
wide links = Yes
acl allow execute always = yes
ntlm auth = mschapv2-and-ntlmv2-only
smb.conf on domain master:
[global]
realm = AD.WSISIZ.EDU.PL
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = WSISIZ.EDU.PL
idmap_ldb:use rfc2307 = yes
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
wins server = 213.135.44.33
ntlm auth = mschapv2-and-ntlmv2-only
ntlm_auth by hand works
[root at see-you-later samba]# /usr/bin/ntlm_auth --allow-mschapv2
--request-nt-key --domain=WSISIZ.EDU.PL --username=test
Password:
NT_STATUS_OK: The operation completed successfully. (0x0)
relevant info from radius config /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
--domain=WSISIZ.EDU.PL
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
}
(I tested the same with:
winbind_username = "%{mschap:User-Name}"
winbind_domain = WSISIZ.EDU.PL with no positive result )
But authorization not works:
[root at see-you-later samba]# radtest -t mschap test XXXX 127.0.0.1 0
testing123
Sent Access-Request Id 123 from 0.0.0.0:54977 to 127.0.0.1:1812 length 130
User-Name = "test"
MS-CHAP-Password = "XXXX"
NAS-IP-Address = 213.135.44.40
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "XXXX"
MS-CHAP-Challenge = 0x06c21051f5afe8c4
MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000085f264f761fdc1ed66f54e496bd14441aac94848336e49fc
Received Access-Reject Id 123 from 127.0.0.1:1812 to 127.0.0.1:54977
length 61
MS-CHAP-Error = "\000E=691 R=1 C=31fc8a6f22e0e329 V=2"
(0) -: Expected Access-Accept got Access-Reject
Output from radiusd -X
(614) Found Auth-Type = MSCHAP
(614) # Executing group from file /etc/raddb/sites-enabled/default
(614) authenticate {
(614) mschap: Client is using MS-CHAPv1 with NT-Password
(614) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2
--request-nt-key --domain=WSISIZ.EDU.PL
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(614) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(614) mschap: --> --username=test
(614) mschap: mschap1: bc
(614) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(614) mschap: --> --challenge=bc5657d8c8eeedbb
(614) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(614) mschap: -->
--nt-response=5cb1d1a7f6cca180a405880b18a68c3fd904f5bd8931f46b
(614) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(614) mschap: External script failed
(614) mschap: ERROR: External script says: The attempted logon is
invalid. This is either due to a bad username or authentication
information. (0xc000006d)
(614) mschap: ERROR: MS-CHAP2-Response is incorrect
(614) [mschap] = reject
(614) } # authenticate = reject
(614) Failed to authenticate the user
(614) Using Post-Auth-Type Reject
(614) # Executing group from file /etc/raddb/sites-enabled/default
(614) Post-Auth-Type REJECT {
(614) attr_filter.access_reject: EXPAND %{User-Name}
(614) attr_filter.access_reject: --> test
(614) attr_filter.access_reject: Matched entry DEFAULT at line 11
(614) [attr_filter.access_reject] = updated
(614) [eap] = noop
(614) policy remove_reply_message_if_eap {
(614) if (&reply:EAP-Message && &reply:Reply-Message) {
(614) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(614) else {
(614) [noop] = noop
(614) } # else = noop
(614) } # policy remove_reply_message_if_eap = noop
(614) } # Post-Auth-Type REJECT = updated
(614) Login incorrect (mschap: Program returned code (1) and output 'The
attempted logon is invalid. This is either due to a bad username or
authentication information. (0xc000006d)'): [test/<via Auth-Type =
MSCHAP>] (from client localhost port 0)
(614) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(614) Sending delayed response
(614) Sent Access-Reject Id 112 from 127.0.0.1:1812 to 127.0.0.1:51747
length 61
(614) MS-CHAP-Error = "\000E=691 R=1 C=1ea8abc7f8bc2ca7 V=2"
Waking up in 3.9 seconds.
I read:
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
(where i found audit.log?)
https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
I have no idea why it does not work - maybe somebody on list have idea?
Best Regards
--
Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pokój 421, pon.-pt. 8-16
Motto - Jak sobie pościelisz tak sie wyśpisz
More information about the samba
mailing list