[Samba] [EXTERNAL] Fwd: ntlm_auth and freeradius

Kees van Vloten keesvanvloten at gmail.com
Tue Apr 4 07:51:01 UTC 2023

Op 04-04-2023 om 09:45 schreef Andrew Bartlett:
> On Tue, 2023-04-04 at 09:37 +0200, Kees van Vloten wrote:
>> Op 04-04-2023 om 00:32 schreef Andrew Bartlett:
>>> On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote:
>>>> Unfortunately it's still erroring out:
>>>> (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk
>>>> (7) mschap: Client is using MS-CHAPv2
>>> Is this set as a UPN (with the realm appended) on the user?
>> In my environment (where samba + freeradius + wifi connect with 
>> machine account works), there is no UPN set on the machine account, 
>> just a set of SPNs:
>> servicePrincipalName: HOST/myhost.example.com
>> servicePrincipalName: RestrictedKrbHost/myhost.example.com
>> servicePrincipalName: HOST/MYHOST
>> servicePrincipalName: RestrictedKrbHost/BARTOK
>> servicePrincipalName: WSMAN/myhost.example.com
>> servicePrincipalName: WSMAN/myhost
>> servicePrincipalName: TERMSRV/myhost.example.com
>> servicePrincipalName: TERMSRV/MYHOST
>> One of which does match with the username in Tim's output, btw. I 
>> have seen exactly the same username format while I was setting this 
>> up around a month ago.
>> - Kees.
> So NTLM (and Kerberos client) authentication is not possible with an 
> SPN, but many folks work around it by selecting one of these and 
> having that in the UPN, eg
> userPrincipalName: HOST/myhost.example.com at example.com
> This is about the (unusual) username pattern Tim is using, you may be 
> logging in with myhost$, which would work normally.
In the end freeradius uses myhost$ to login, that is indeed what I see 
in the audit.log on the DC. Kerberos is not involved at all between the 
client-machine and the DC. It sends the machine-password to freeradius, 
which uses ntlm_auth + winbind to login, but first it transforms the 
username from the UPN into a normal username.
> Andrew Bartlett
> -- 
> Andrew Bartlett (he/him)https://samba.org/~abartlet/
> Samba Team Member (since 2001)https://samba.org
> Samba Developer, Catalyst IThttps://catalyst.net.nz/services/samba

More information about the samba mailing list