[Samba] [EXTERNAL] Fwd: ntlm_auth and freeradius
Kees van Vloten
keesvanvloten at gmail.com
Mon Apr 3 16:04:02 UTC 2023
On 03-04-2023 17:08, Tim ODriscoll wrote:
> > I guess we have to look at the conf files then, first these two:
>
> Thank you for the config file snippets. I can confirm mine were almost
> identical, so I've tweaked them so that they are now exactly the same
> as yours except for the
> "--require-membership-of=example\authorization_groupname" line in
> ntlm_auth.
>
> Unfortunately it's still erroring out:
> (7) mschap: Creating challenge hash with username:
> host/SL-6S4BBS3.MYDOMAIN.co.uk
> (7) mschap: Client is using MS-CHAPv2
> (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{mschap:User-Name}:-00} --allow-mschapv2
> --domain=MYDOMAIN --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (7) mschap: EXPAND --username=%{%{mschap:User-Name}:-00}
> (7) mschap: --> --username=SL-6S4BBS3$
> (7) mschap: Creating challenge hash with username:
> host/SL-6S4BBS3.MYDOMAIN.co.uk
> (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (7) mschap: --> --challenge=b45bc6ef86e0331a
> (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (7) mschap: -->
> --nt-response=a3748d3de88efabcf966a1740cb27a279d8923ebfac30d89
> (7) mschap: ERROR: Program returned code (1) and output 'The attempted
> logon is invalid. This is either due to a bad username or
> authentication information. (0xc000006d)'
> (7) mschap: External script failed
> (7) mschap: ERROR: External script says: The attempted logon is
> invalid. This is either due to a bad username or authentication
> information. (0xc000006d)
> (7) mschap: ERROR: MS-CHAP2-Response is incorrect
>
> Did you have to change any other config files?
Sure, there are more, but they are getting longer...
mod-enabled/eap:
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
#private_key_password = whatever
private_key_file = /etc/ssl/private/SERVER_CERT.key
certificate_file = /etc/ssl/certs/SERVER_CERT.crt
ca_file = /etc/freeradius/3.0/ca_and_crl.pem # see
note below
dh_file = ${certdir}/dh
ca_path = ${cadir}
check_crl = yes
cipher_list = "DEFAULT"
cipher_server_preference = no
tls_min_version = "1.2" # tune these 2 to your needs
tls_max_version = "1.3"
ecdh_curve = "prime256v1"
cache {
enable = no
store {
Tunnel-Private-Group-Id
}
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
In order to support the CRL you have to combine the ca cert with the
crl, like this:
cat /etc/ssl/certs/ca.pem /etc/ssl/certs/crl.pem >
/etc/freeradius/3.0/ca_and_crl.pem
For no crl checking set: "check_crl = no"
sites-enabled/samba_default:
server default {
listen {
type = auth
ipaddr = *
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 1813
type = acct
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = auth
ipv6addr = :: # any
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 1813
type = acct
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
authorize {
filter_username
preprocess
eap {
ok = return
}
expiration
logintime
}
authenticate {
eap
}
preacct {
preprocess
acct_unique
}
accounting {
detail
attr_filter.accounting_response
}
post-auth {
update {
&reply: += &session-state:
}
# For Exec-Program and Exec-Program-Wait
exec
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
Post-Auth-Type REJECT {
attr_filter.access_reject
# Insert EAP-Failure message if the request was rejected by
policy instead of because of an authentica
tion failure
eap
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
}
}
post-proxy {
eap
}
}
sites-enabled/samba_inner-tunnel:
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
filter_username
mschap
update control {
&Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
ntlm_auth
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
mschap
eap
}
session {
radutmp
}
post-auth {
# Instead of "use_tunneled_reply", change this "if (0)" to an
"if (1)".
if (0) {
# These attributes are for the inner-tunnel only, and MUST
NOT be copied to the outer reply.
update reply {
User-Name !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
}
# Copy the inner reply attributes to the outer
session-state list. The post-auth policy will take
# care of copying the outer session-state list to the outer
reply.
update {
&outer.session-state: += &reply:
}
}
Post-Auth-Type REJECT {
attr_filter.access_reject
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
}
}
post-proxy {
eap
}
}
proxy.conf
proxy server {
default_fallback = no
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1812
secret = MY_TEST_SECRET
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
max_outstanding = 65536
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool samba_auth_failover {
type = fail-over
home_server = localhost
}
realm exmaple.com { # YOUR DOMAIN HERE
auth_pool = samba_auth_failover
}
realm LOCAL {
}
And then there is clients.conf but I guess yours is working otherwise
you would not get to this point.
- Kees.
>
> Thank you,
> Tim
More information about the samba
mailing list