[Samba] problems after migrating NT domain to AD (samba 4.7.x)
L.P.H. van Belle
belle at bazuin.nl
Mon Sep 30 08:03:30 UTC 2019
Just follow this and it "just works"
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
And this is asking for problems.
workgroup = WSISIZ.EDU.PL
Read : https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
And from this link :
https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
Names can contain a period (.). However, the name cannot start with a period.
The use of non-DNS names with periods is allowed in Microsoft Windows NT.
However, periods should not be used in Microsoft Windows 2000 or in later versions of Windows.
If you are upgrading a computer whose NetBIOS name contains a period, change the machine name.
For more information, see the "Special characters" section.
And, Warning The use of NetBIOS scopes in names is a legacy configuration and should not be used with Active Directory forests
A bit later..
Domain names
NetBIOS domain names
The use of non-DNS names with periods is allowed in Microsoft Windows NT. However, periods should not be used in Active Directory domains. If you are upgrading a domain whose NetBIOS name contains a period, change the name by migrating the domain to a new domain structure. Do not use periods in new NetBIOS domain names.
Rest my case.
Solution: Fix you netbois domainname and your good to go.
And setup as shown in the link of the samba wiki.
I've verified that with Alan DeKok of freeradius.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Bart??omiej Solarz-Nies??uchowski via samba
> Verzonden: zaterdag 28 september 2019 20:40
> Aan: samba at lists.samba.org
> CC: Maciej Wysocki [WSISiZ]; Administrator WIT
> Onderwerp: [Samba] problems after migrating NT domain to AD
> (samba 4.7.x)
>
> Dear List,
>
> My domain +/- works, so I try to fix rest services based on
> domain NT/AD....
>
> I use WiFi authorization with PEAP/MSCHAPv2 + freeradius (before
> migration it works).
>
> And after migration autorization does not work.
>
> Freeradius server is on samba domain member.
>
> So i check domain connectivity:
>
> [root at see-you-later samba]# net ads testjoin
> Join is OK
> [root at see-you-later samba]# wbinfo -a test%XXXX
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> [root at see-you-later samba]# wbinfo -g
>
> here list of domain group
>
> smb.conf
>
> [global]
> dos charset = CP852
> unix charset = UTF8
> workgroup = WSISIZ.EDU.PL
> realm = ad.wsisiz.edu.pl
> server role = member server
> security = ads
> allow trusted domains = No
> log level = 0
> time server = Yes
> deadtime = 60
> hostname lookups = Yes
> printcap cache time = 600
> printcap name = cups
> wins support = Yes
> remote browse sync = oxygene.ibspan.waw.pl antarctica china
> direct odyssey
> winbind use default domain = Yes
> create mask = 0644
> inherit acls = Yes
> remote browse sync = oceanic.wsisiz.edu.pl
> create mask = 0644
> hosts allow = 127., 213.135.34.0/255.255.255.0,
> 213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0,
> 2001:1a68:a::/48, ::1
> hide dot files = No
> ea support = Yes
> map acl inherit = Yes
> cups options = raw
> hide dot files = No
> store dos attributes = Yes
> wide links = Yes
> acl allow execute always = yes
> ntlm auth = mschapv2-and-ntlmv2-only
>
> smb.conf on domain master:
>
> [global]
> realm = AD.WSISIZ.EDU.PL
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = WSISIZ.EDU.PL
> idmap_ldb:use rfc2307 = yes
> dns update command = /usr/sbin/samba_dnsupdate
> --use-samba-tool
> wins server = 213.135.44.33
> ntlm auth = mschapv2-and-ntlmv2-only
>
>
> ntlm_auth by hand works
>
> [root at see-you-later samba]# /usr/bin/ntlm_auth --allow-mschapv2
> --request-nt-key --domain=WSISIZ.EDU.PL --username=test
> Password:
> NT_STATUS_OK: The operation completed successfully. (0x0)
>
>
> relevant info from radius config /etc/raddb/mods-enabled/mschap
>
> mschap {
> use_mppe = yes
>
> require_encryption = yes
>
> require_strong = yes
>
> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
> --domain=WSISIZ.EDU.PL
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}"
>
> }
>
> (I tested the same with:
>
> winbind_username = "%{mschap:User-Name}"
>
> winbind_domain = WSISIZ.EDU.PL with no positive result )
>
>
> But authorization not works:
>
> [root at see-you-later samba]# radtest -t mschap test XXXX 127.0.0.1 0
> testing123
> Sent Access-Request Id 123 from 0.0.0.0:54977 to
> 127.0.0.1:1812 length 130
> User-Name = "test"
> MS-CHAP-Password = "XXXX"
> NAS-IP-Address = 213.135.44.40
> NAS-Port = 0
> Message-Authenticator = 0x00
> Cleartext-Password = "XXXX"
> MS-CHAP-Challenge = 0x06c21051f5afe8c4
> MS-CHAP-Response =
> 0x000100000000000000000000000000000000000000000000000085f264f7
> 61fdc1ed66f54e496bd14441aac94848336e49fc
> Received Access-Reject Id 123 from 127.0.0.1:1812 to 127.0.0.1:54977
> length 61
> MS-CHAP-Error = "\000E=691 R=1 C=31fc8a6f22e0e329 V=2"
> (0) -: Expected Access-Accept got Access-Reject
>
>
> Output from radiusd -X
>
> (614) Found Auth-Type = MSCHAP
> (614) # Executing group from file /etc/raddb/sites-enabled/default
> (614) authenticate {
> (614) mschap: Client is using MS-CHAPv1 with NT-Password
> (614) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2
> --request-nt-key --domain=WSISIZ.EDU.PL
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (614) mschap: EXPAND
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (614) mschap: --> --username=test
> (614) mschap: mschap1: bc
> (614) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (614) mschap: --> --challenge=bc5657d8c8eeedbb
> (614) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (614) mschap: -->
> --nt-response=5cb1d1a7f6cca180a405880b18a68c3fd904f5bd8931f46b
> (614) mschap: ERROR: Program returned code (1) and output
> 'The attempted
> logon is invalid. This is either due to a bad username or
> authentication
> information. (0xc000006d)'
> (614) mschap: External script failed
> (614) mschap: ERROR: External script says: The attempted logon is
> invalid. This is either due to a bad username or authentication
> information. (0xc000006d)
> (614) mschap: ERROR: MS-CHAP2-Response is incorrect
> (614) [mschap] = reject
> (614) } # authenticate = reject
> (614) Failed to authenticate the user
> (614) Using Post-Auth-Type Reject
> (614) # Executing group from file /etc/raddb/sites-enabled/default
> (614) Post-Auth-Type REJECT {
> (614) attr_filter.access_reject: EXPAND %{User-Name}
> (614) attr_filter.access_reject: --> test
> (614) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (614) [attr_filter.access_reject] = updated
> (614) [eap] = noop
> (614) policy remove_reply_message_if_eap {
> (614) if (&reply:EAP-Message && &reply:Reply-Message) {
> (614) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (614) else {
> (614) [noop] = noop
> (614) } # else = noop
> (614) } # policy remove_reply_message_if_eap = noop
> (614) } # Post-Auth-Type REJECT = updated
> (614) Login incorrect (mschap: Program returned code (1) and
> output 'The
> attempted logon is invalid. This is either due to a bad username or
> authentication information. (0xc000006d)'): [test/<via Auth-Type =
> MSCHAP>] (from client localhost port 0)
> (614) Delaying response for 1.000000 seconds
> Waking up in 0.2 seconds.
> Waking up in 0.7 seconds.
> (614) Sending delayed response
> (614) Sent Access-Reject Id 112 from 127.0.0.1:1812 to
> 127.0.0.1:51747
> length 61
> (614) MS-CHAP-Error = "\000E=691 R=1 C=1ea8abc7f8bc2ca7 V=2"
> Waking up in 3.9 seconds.
>
> I read:
>
> https://wiki.samba.org/index.php/Authenticating_Freeradius_aga
> inst_Active_Directory
>
> (where i found audit.log?)
>
> https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-
> Integration-HOWTO
>
> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
>
>
> I have no idea why it does not work - maybe somebody on list
> have idea?
>
>
> Best Regards
>
>
> --
> Bart??omiej Solarz-Nies??uchowski, Administrator WSISiZ
> e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
> tel. 223486547, fax 223486501
> JID: solarz at jabber.wit.edu.pl
> 01-447 Warszawa, ul. Newelska 6, pokój 421, pon.-pt. 8-16
> Motto - Jak sobie po??cielisz tak sie wy??pisz
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list