[Samba] [EXTERNAL] Fwd: ntlm_auth and freeradius
Kees van Vloten
keesvanvloten at gmail.com
Tue Apr 4 07:51:01 UTC 2023
Op 04-04-2023 om 09:45 schreef Andrew Bartlett:
> On Tue, 2023-04-04 at 09:37 +0200, Kees van Vloten wrote:
>> Op 04-04-2023 om 00:32 schreef Andrew Bartlett:
>>
>>> On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote:
>>>
>>>> Unfortunately it's still erroring out:
>>>> (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk
>>>> (7) mschap: Client is using MS-CHAPv2
>>>
>>> Is this set as a UPN (with the realm appended) on the user?
>>>
>> In my environment (where samba + freeradius + wifi connect with
>> machine account works), there is no UPN set on the machine account,
>> just a set of SPNs:
>>
>> servicePrincipalName: HOST/myhost.example.com
>> servicePrincipalName: RestrictedKrbHost/myhost.example.com
>> servicePrincipalName: HOST/MYHOST
>> servicePrincipalName: RestrictedKrbHost/BARTOK
>> servicePrincipalName: WSMAN/myhost.example.com
>> servicePrincipalName: WSMAN/myhost
>> servicePrincipalName: TERMSRV/myhost.example.com
>> servicePrincipalName: TERMSRV/MYHOST
>>
>> One of which does match with the username in Tim's output, btw. I
>> have seen exactly the same username format while I was setting this
>> up around a month ago.
>>
>> - Kees.
>>
> So NTLM (and Kerberos client) authentication is not possible with an
> SPN, but many folks work around it by selecting one of these and
> having that in the UPN, eg
> userPrincipalName: HOST/myhost.example.com at example.com
>
> This is about the (unusual) username pattern Tim is using, you may be
> logging in with myhost$, which would work normally.
In the end freeradius uses myhost$ to login, that is indeed what I see
in the audit.log on the DC. Kerberos is not involved at all between the
client-machine and the DC. It sends the machine-password to freeradius,
which uses ntlm_auth + winbind to login, but first it transforms the
username from the UPN into a normal username.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett (he/him)https://samba.org/~abartlet/
> Samba Team Member (since 2001)https://samba.org
> Samba Developer, Catalyst IThttps://catalyst.net.nz/services/samba
>
More information about the samba
mailing list