[Samba] Freeradius, Samba AD and machine account...

Marco Gaiarin gaio at sv.lnf.it
Mon Jul 19 11:04:49 UTC 2021 

Mandi! Michael Jones via samba
  In chel di` si favelave...

> I was able to get this working on my network for Windows machines (I never
> tried with Linux machines).
> Here's my terribly formatted writeup from back then.
> http://cogito.jonesmz.com/2019/02/configuring-freeradius-against-samba-4.html

That is more or less my configuration, but re-reading it and reviewing
my setup after the weekend helped it.


It was partially my fault: i do filter clients by group membership, and
i was looking for groups defined outher my filter base. Damn me!


But after fixing that, another errors popup:

 (9) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
 (9) eap_mschapv2:   authenticate {
 (9) mschap: Creating challenge hash with username: host/AFTERSHOCK.ad.fvg.lnf.it
 (9) mschap: Client is using MS-CHAPv2
 (9) mschap: EXPAND %{%{mschap:User-Name}:-None}
 (9) mschap:    --> AFTERSHOCK$
 (9) mschap: EXPAND %{%{mschap:NT-Domain}:-LNFFVG}
 (9) mschap:    --> ad
 rlm_mschap (mschap): Reserved connection (0)
 (9) mschap: sending authentication request user='AFTERSHOCK$' domain='ad'
 rlm_mschap (mschap): Released connection (0)
 rlm_mschap (mschap): Need 5 more connections to reach 10 spares
 rlm_mschap (mschap): Opening additional connection (5), 1 of 27 pending slots used
 (9) mschap: ERROR: The specified account does not exist. [0xC0000064]
 (9) mschap: ERROR: Password has expired.  User should retry authentication
 (9)     [mschap] = reject
 (9)   } # authenticate = reject

as you can see, for some reason 'mschap{}' module expand my NetBIOS
domain name as 'ad' (eg, the first part of my Kerberos domain,
'AD.FVG.LNF.IT') insted as 'LNFFVG'; I'm not in forest, i've a single
domain so i've simple 'fixed' that with:

	winbind_domain = "LNFFVG"

in mschap{} module (eg, staticizing domain and not taking it from the
request).
Note that for user authentication, this is not needed, eg users have
'LNFFVG' (or null) domain as expected, so that:

	winbind_domain = "%{%{mschap:NT-Domain}:-LNFFVG}"

works.


This seems strange to me, but probably this is a freeradius trouble and
i need to ask in freeradius support list.


Anyway, thanks to all!!!

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list