[Samba] problems after migrating NT domain to AD (samba 4.7.x)

L.P.H. van Belle belle at bazuin.nl
Mon Sep 30 08:03:30 UTC 2019 

Just follow this and it "just works"

https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory 


And this is asking for problems. 
workgroup = WSISIZ.EDU.PL

Read : https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
And from this link :  
https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and 

Names can contain a period (.). However, the name cannot start with a period. 
The use of non-DNS names with periods is allowed in Microsoft Windows NT.
 However, periods should not be used in Microsoft Windows 2000 or in later versions of Windows. 
If you are upgrading a computer whose NetBIOS name contains a period, change the machine name. 
For more information, see the "Special characters" section.

And, Warning The use of NetBIOS scopes in names is a legacy configuration and should not be used with Active Directory forests

A bit later.. 
Domain names
NetBIOS domain names

 The use of non-DNS names with periods is allowed in Microsoft Windows NT. However, periods should not be used in Active Directory domains. If you are upgrading a domain whose NetBIOS name contains a period, change the name by migrating the domain to a new domain structure. Do not use periods in new NetBIOS domain names.

Rest my case. 

Solution: Fix you netbois domainname and your good to go. 
And setup as shown in the link of the samba wiki. 
I've verified that with Alan DeKok of freeradius. 


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Bart??omiej Solarz-Nies??uchowski via samba
> Verzonden: zaterdag 28 september 2019 20:40
> Aan: samba at lists.samba.org
> CC: Maciej Wysocki [WSISiZ]; Administrator WIT
> Onderwerp: [Samba] problems after migrating NT domain to AD 
> (samba 4.7.x)
> 
> Dear List,
> 
> My domain +/- works, so I try to fix rest services based on 
> domain NT/AD....
> 
> I use WiFi authorization with PEAP/MSCHAPv2 + freeradius (before 
> migration it works).
> 
> And after migration autorization does not work.
> 
> Freeradius server is on samba domain member.
> 
> So i check domain connectivity:
> 
> [root at see-you-later samba]# net ads testjoin
> Join is OK
> [root at see-you-later samba]# wbinfo -a test%XXXX
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> [root at see-you-later samba]# wbinfo -g
> 
> here list of domain group
> 
> smb.conf
> 
> [global]
>         dos charset = CP852
>          unix charset = UTF8
>          workgroup = WSISIZ.EDU.PL
>          realm = ad.wsisiz.edu.pl
>          server role = member server
>          security = ads
>          allow trusted domains = No
>          log level = 0
>          time server = Yes
>          deadtime = 60
>          hostname lookups = Yes
>          printcap cache time = 600
>          printcap name = cups
>          wins support = Yes
>          remote browse sync = oxygene.ibspan.waw.pl antarctica china 
> direct odyssey
>          winbind use default domain = Yes
>          create mask = 0644
>          inherit acls = Yes
>          remote browse sync = oceanic.wsisiz.edu.pl
>          create mask = 0644
>          hosts allow = 127., 213.135.34.0/255.255.255.0, 
> 213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0, 
> 2001:1a68:a::/48, ::1
>          hide dot files = No
>          ea support = Yes
>          map acl inherit = Yes
>          cups options = raw
>          hide dot files = No
>          store dos attributes = Yes
>          wide links = Yes
>          acl allow execute always = yes
>          ntlm auth = mschapv2-and-ntlmv2-only
> 
> smb.conf on domain master:
> 
> [global]
>          realm = AD.WSISIZ.EDU.PL
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = WSISIZ.EDU.PL
>          idmap_ldb:use rfc2307 = yes
>          dns update command = /usr/sbin/samba_dnsupdate 
> --use-samba-tool
>          wins server =  213.135.44.33
>          ntlm auth = mschapv2-and-ntlmv2-only
> 
> 
> ntlm_auth by hand works
> 
> [root at see-you-later samba]# /usr/bin/ntlm_auth --allow-mschapv2 
> --request-nt-key --domain=WSISIZ.EDU.PL --username=test
> Password:
> NT_STATUS_OK: The operation completed successfully. (0x0)
> 
> 
> relevant info from radius config /etc/raddb/mods-enabled/mschap
> 
> mschap {
> use_mppe = yes
> 
> require_encryption = yes
> 
> require_strong = yes
> 
> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key 
> --domain=WSISIZ.EDU.PL 
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
> --challenge=%{%{mschap:Challenge}:-00} 
> --nt-response=%{%{mschap:NT-Response}:-00}"
> 
> }
> 
> (I tested the same with:
> 
> winbind_username = "%{mschap:User-Name}"
> 
> winbind_domain = WSISIZ.EDU.PL with no positive result )
> 
> 
> But authorization not works:
> 
> [root at see-you-later samba]# radtest -t mschap test XXXX 127.0.0.1 0 
> testing123
> Sent Access-Request Id 123 from 0.0.0.0:54977 to 
> 127.0.0.1:1812 length 130
>          User-Name = "test"
>          MS-CHAP-Password = "XXXX"
>          NAS-IP-Address = 213.135.44.40
>          NAS-Port = 0
>          Message-Authenticator = 0x00
>          Cleartext-Password = "XXXX"
>          MS-CHAP-Challenge = 0x06c21051f5afe8c4
>          MS-CHAP-Response = 
> 0x000100000000000000000000000000000000000000000000000085f264f7
> 61fdc1ed66f54e496bd14441aac94848336e49fc
> Received Access-Reject Id 123 from 127.0.0.1:1812 to 127.0.0.1:54977 
> length 61
>          MS-CHAP-Error = "\000E=691 R=1 C=31fc8a6f22e0e329 V=2"
> (0) -: Expected Access-Accept got Access-Reject
> 
> 
> Output from radiusd -X
> 
> (614) Found Auth-Type = MSCHAP
> (614) # Executing group from file /etc/raddb/sites-enabled/default
> (614)   authenticate {
> (614) mschap: Client is using MS-CHAPv1 with NT-Password
> (614) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 
> --request-nt-key --domain=WSISIZ.EDU.PL 
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
> --challenge=%{%{mschap:Challenge}:-00} 
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (614) mschap: EXPAND 
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (614) mschap:    --> --username=test
> (614) mschap: mschap1: bc
> (614) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (614) mschap:    --> --challenge=bc5657d8c8eeedbb
> (614) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (614) mschap:    --> 
> --nt-response=5cb1d1a7f6cca180a405880b18a68c3fd904f5bd8931f46b
> (614) mschap: ERROR: Program returned code (1) and output 
> 'The attempted 
> logon is invalid. This is either due to a bad username or 
> authentication 
> information. (0xc000006d)'
> (614) mschap: External script failed
> (614) mschap: ERROR: External script says: The attempted logon is 
> invalid. This is either due to a bad username or authentication 
> information. (0xc000006d)
> (614) mschap: ERROR: MS-CHAP2-Response is incorrect
> (614)     [mschap] = reject
> (614)   } # authenticate = reject
> (614) Failed to authenticate the user
> (614) Using Post-Auth-Type Reject
> (614) # Executing group from file /etc/raddb/sites-enabled/default
> (614)   Post-Auth-Type REJECT {
> (614) attr_filter.access_reject: EXPAND %{User-Name}
> (614) attr_filter.access_reject:    --> test
> (614) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (614)     [attr_filter.access_reject] = updated
> (614)     [eap] = noop
> (614)     policy remove_reply_message_if_eap {
> (614)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (614)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (614)       else {
> (614)         [noop] = noop
> (614)       } # else = noop
> (614)     } # policy remove_reply_message_if_eap = noop
> (614)   } # Post-Auth-Type REJECT = updated
> (614) Login incorrect (mschap: Program returned code (1) and 
> output 'The 
> attempted logon is invalid. This is either due to a bad username or 
> authentication information. (0xc000006d)'): [test/<via Auth-Type = 
> MSCHAP>] (from client localhost port 0)
> (614) Delaying response for 1.000000 seconds
> Waking up in 0.2 seconds.
> Waking up in 0.7 seconds.
> (614) Sending delayed response
> (614) Sent Access-Reject Id 112 from 127.0.0.1:1812 to 
> 127.0.0.1:51747 
> length 61
> (614)   MS-CHAP-Error = "\000E=691 R=1 C=1ea8abc7f8bc2ca7 V=2"
> Waking up in 3.9 seconds.
> 
> I read:
> 
> https://wiki.samba.org/index.php/Authenticating_Freeradius_aga
> inst_Active_Directory
> 
> (where i found audit.log?)
> 
> https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-
> Integration-HOWTO
> 
> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
> 
> 
> I have no idea why it does not work - maybe somebody on list 
> have idea?
> 
> 
> Best Regards
> 
> 
> -- 
> Bart??omiej Solarz-Nies??uchowski, Administrator WSISiZ
> e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
> tel. 223486547, fax 223486501
> JID: solarz at jabber.wit.edu.pl
> 01-447 Warszawa, ul. Newelska 6, pokój 421, pon.-pt. 8-16
> Motto - Jak sobie po??cielisz tak sie wy??pisz
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list