[Samba] Fwd: ntlm_auth and freeradius
Kees van Vloten
keesvanvloten at gmail.com
Mon Apr 3 14:47:40 UTC 2023
Op 03-04-2023 om 16:05 schreef Tim ODriscoll via samba:
> Dear All,
>
> I'm trying to setup FreeRADIUS to authenticate a machine account to grant access to wifi for domain-connected machines. I think I've got the GPO's set up properly and the CA deployed to the clients, as I'm not getting any errors there.
>
> The errors I'm getting are to do with ntlm_auth not authenticating my machine account. Everything looks OK (to me) on the command line:
> # wbinfo -t
> checking the trust secret for domain MYDOMAIN via RPC calls succeeded
> # wbinfo -p
> Ping to winbindd succeeded
> # ls -ld /var/lib/samba/winbindd_privileged/
> drwxr-x---+ 2 root radiusd 18 Apr 1 21:39 /var/lib/samba/winbindd_privileged/
> # ntlm_auth --username=tim.odriscoll
> Password:
> : (0x0)
You already did the thing I asked below...
> Samba's config has this on the member (FR) server and all the DCs:
> ntlm auth = mschapv2-and-ntlmv2-only
>
> But I'm getting this back from FreeRADIUS:
> (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk
> (7) mschap: Client is using MS-CHAPv2
> (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --allow-mschapv2 --domain=lambrook --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
> (7) mschap: EXPAND --username=%{mschap:User-Name}
> (7) mschap: --> --username=SL-6S4BBS3$
> (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk
> (7) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
> (7) mschap: --> --challenge=f4b42ffab7c68fa8
> (7) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
> (7) mschap: --> --nt-response=66c030f13772db256f38898578b884e013658f121d517fa3
> (7) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
> (7) mschap: External script failed
> (7) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
> (7) mschap: ERROR: MS-CHAP2-Response is incorrect
>
> Anyone have any ideas what to try next?
>
> Many thanks,
> Tim
I have setup exactly the same thing recently.
It looks like the machine freeradius is running on is a samba-AD
domain-member, correct?
Can you authenticate with a normal user:
ntlm_auth –-request-nt-key –-domain=<netbios_domainname> --username=<user>
Let's start with this, I could post all radius configs but that is a lot...
- Kees.
I guess we have to look at the conf files then, first these two:
mods-enabled/ntlm_auth:
exec ntlm_auth {
wait = yes
shell_escape = yes
program = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \
--domain=example \
--require-membership-of=example\authorization_groupname \
--username=%{mschap:User-Name}
--password=%{User-Password}"
mods-enables/mschap
mschap {
use_mppe = yes
with_ntdomain_hack = yes
require_encryption = yes
require_strong = yes
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \
--domain=example \
--require-membership-of=example\authorization_groupname \
--username=%{%{mschap:User-Name}:-00} \
--challenge=%{%{mschap:Challenge}:-00} \
--nt-response=%{%{mschap:NT-Response}:-00}"
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
passchange {
}
}
The line "--require-membership-of=example\authorization_groupname" is
optional.
More information about the samba
mailing list