[Samba] problems after migrating NT domain to AD (samba 4.7.x)

Bartłomiej Solarz-Niesłuchowski Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
Sat Sep 28 18:40:21 UTC 2019 

Dear List,

My domain +/- works, so I try to fix rest services based on domain NT/AD....

I use WiFi authorization with PEAP/MSCHAPv2 + freeradius (before 
migration it works).

And after migration autorization does not work.

Freeradius server is on samba domain member.

So i check domain connectivity:

[root at see-you-later samba]# net ads testjoin
Join is OK
[root at see-you-later samba]# wbinfo -a test%XXXX
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root at see-you-later samba]# wbinfo -g

here list of domain group

smb.conf

[global]
        dos charset = CP852
         unix charset = UTF8
         workgroup = WSISIZ.EDU.PL
         realm = ad.wsisiz.edu.pl
         server role = member server
         security = ads
         allow trusted domains = No
         log level = 0
         time server = Yes
         deadtime = 60
         hostname lookups = Yes
         printcap cache time = 600
         printcap name = cups
         wins support = Yes
         remote browse sync = oxygene.ibspan.waw.pl antarctica china 
direct odyssey
         winbind use default domain = Yes
         create mask = 0644
         inherit acls = Yes
         remote browse sync = oceanic.wsisiz.edu.pl
         create mask = 0644
         hosts allow = 127., 213.135.34.0/255.255.255.0, 
213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0, 
2001:1a68:a::/48, ::1
         hide dot files = No
         ea support = Yes
         map acl inherit = Yes
         cups options = raw
         hide dot files = No
         store dos attributes = Yes
         wide links = Yes
         acl allow execute always = yes
         ntlm auth = mschapv2-and-ntlmv2-only

smb.conf on domain master:

[global]
         realm = AD.WSISIZ.EDU.PL
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = WSISIZ.EDU.PL
         idmap_ldb:use rfc2307 = yes
         dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
         wins server =  213.135.44.33
         ntlm auth = mschapv2-and-ntlmv2-only


ntlm_auth by hand works

[root at see-you-later samba]# /usr/bin/ntlm_auth --allow-mschapv2 
--request-nt-key --domain=WSISIZ.EDU.PL --username=test
Password:
NT_STATUS_OK: The operation completed successfully. (0x0)


relevant info from radius config /etc/raddb/mods-enabled/mschap

mschap {
use_mppe = yes

require_encryption = yes

require_strong = yes

ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key 
--domain=WSISIZ.EDU.PL 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
--challenge=%{%{mschap:Challenge}:-00} 
--nt-response=%{%{mschap:NT-Response}:-00}"

}

(I tested the same with:

winbind_username = "%{mschap:User-Name}"

winbind_domain = WSISIZ.EDU.PL with no positive result )


But authorization not works:

[root at see-you-later samba]# radtest -t mschap test XXXX 127.0.0.1 0 
testing123
Sent Access-Request Id 123 from 0.0.0.0:54977 to 127.0.0.1:1812 length 130
         User-Name = "test"
         MS-CHAP-Password = "XXXX"
         NAS-IP-Address = 213.135.44.40
         NAS-Port = 0
         Message-Authenticator = 0x00
         Cleartext-Password = "XXXX"
         MS-CHAP-Challenge = 0x06c21051f5afe8c4
         MS-CHAP-Response = 
0x000100000000000000000000000000000000000000000000000085f264f761fdc1ed66f54e496bd14441aac94848336e49fc
Received Access-Reject Id 123 from 127.0.0.1:1812 to 127.0.0.1:54977 
length 61
         MS-CHAP-Error = "\000E=691 R=1 C=31fc8a6f22e0e329 V=2"
(0) -: Expected Access-Accept got Access-Reject


Output from radiusd -X

(614) Found Auth-Type = MSCHAP
(614) # Executing group from file /etc/raddb/sites-enabled/default
(614)   authenticate {
(614) mschap: Client is using MS-CHAPv1 with NT-Password
(614) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 
--request-nt-key --domain=WSISIZ.EDU.PL 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
--challenge=%{%{mschap:Challenge}:-00} 
--nt-response=%{%{mschap:NT-Response}:-00}:
(614) mschap: EXPAND 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(614) mschap:    --> --username=test
(614) mschap: mschap1: bc
(614) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(614) mschap:    --> --challenge=bc5657d8c8eeedbb
(614) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(614) mschap:    --> 
--nt-response=5cb1d1a7f6cca180a405880b18a68c3fd904f5bd8931f46b
(614) mschap: ERROR: Program returned code (1) and output 'The attempted 
logon is invalid. This is either due to a bad username or authentication 
information. (0xc000006d)'
(614) mschap: External script failed
(614) mschap: ERROR: External script says: The attempted logon is 
invalid. This is either due to a bad username or authentication 
information. (0xc000006d)
(614) mschap: ERROR: MS-CHAP2-Response is incorrect
(614)     [mschap] = reject
(614)   } # authenticate = reject
(614) Failed to authenticate the user
(614) Using Post-Auth-Type Reject
(614) # Executing group from file /etc/raddb/sites-enabled/default
(614)   Post-Auth-Type REJECT {
(614) attr_filter.access_reject: EXPAND %{User-Name}
(614) attr_filter.access_reject:    --> test
(614) attr_filter.access_reject: Matched entry DEFAULT at line 11
(614)     [attr_filter.access_reject] = updated
(614)     [eap] = noop
(614)     policy remove_reply_message_if_eap {
(614)       if (&reply:EAP-Message && &reply:Reply-Message) {
(614)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(614)       else {
(614)         [noop] = noop
(614)       } # else = noop
(614)     } # policy remove_reply_message_if_eap = noop
(614)   } # Post-Auth-Type REJECT = updated
(614) Login incorrect (mschap: Program returned code (1) and output 'The 
attempted logon is invalid. This is either due to a bad username or 
authentication information. (0xc000006d)'): [test/<via Auth-Type = 
MSCHAP>] (from client localhost port 0)
(614) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(614) Sending delayed response
(614) Sent Access-Reject Id 112 from 127.0.0.1:1812 to 127.0.0.1:51747 
length 61
(614)   MS-CHAP-Error = "\000E=691 R=1 C=1ea8abc7f8bc2ca7 V=2"
Waking up in 3.9 seconds.

I read:

https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory

(where i found audit.log?)

https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO

https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind


I have no idea why it does not work - maybe somebody on list have idea?


Best Regards


-- 
Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pokój 421, pon.-pt. 8-16
Motto - Jak sobie pościelisz tak sie wyśpisz

More information about the samba mailing list