[Samba] Fwd: ntlm_auth and freeradius

Tim ODriscoll tim.odriscoll at lambrookschool.co.uk
Tue Apr 4 07:55:34 UTC 2023 

On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote:

Unfortunately it's still erroring out:

(7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk

(7) mschap: Client is using MS-CHAPv2

> Is this set as a UPN (with the realm appended) on the user?

I don't see any UPN's in my AD record, only SPNs - unless I misunderstand you?

I've run the 'radtest' client with '-t mschap' and without as parameters. Without '-t mschap' works, but with it fails.

I've narrowed down the authenticating DC, turned up logging and found this:
[2023/04/04 08:36:31.653500,  3] ../../source4/auth/ntlm/auth.c:207(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user [lambrook]\[tim.odriscoll]@[\\FILESB01]
  auth_check_password_send: user is: [lambrook]\[tim.odriscoll]@[\\FILESB01]
[2023/04/04 08:36:31.653534,  5] ../../source4/auth/ntlm/auth.c:70(auth_get_challenge)
  auth_get_challenge: returning previous challenge by module netr_LogonSamLogonWithFlags (normal)
[2023/04/04 08:36:31.662327,  2] ../../libcli/auth/ntlm_check.c:473(ntlm_password_check)
  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user tim.odriscoll
[2023/04/04 08:36:31.662372,  3] ../../libcli/auth/ntlm_check.c:480(ntlm_password_check)
  ntlm_password_check: NEITHER LanMan nor NT password supplied for user tim.odriscoll
[2023/04/04 08:36:31.665652,  5] ../../source4/dsdb/common/util.c:5638(dsdb_update_bad_pwd_count)

I've got this on all my DC's /etc/samba/smb.conf files:
ntlm auth = mschapv2-and-ntlmv2-only

So, am I correct in thinking that the ntlm_auth client is not using ntlmv2?

FreeRADIUS reports this on the error:
(21) Found Auth-Type = mschap
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21)   authenticate {
(21) mschap: Client is using MS-CHAPv1 with NT-Password
(21) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=lambrook --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(21) mschap: EXPAND --username=%{%{mschap:User-Name}:-00}
(21) mschap:    --> --username=tim.odriscoll
(21) mschap: mschap1: 39
(21) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(21) mschap:    --> --challenge=3985fc5b9031d694
(21) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(21) mschap:    --> --nt-response=32f3fe95ffa414578c60e77fca9f28af183055a5f46f262d
(21) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
(21) mschap: External script failed
(21) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
(21) mschap: ERROR: MS-CHAP2-Response is incorrect

My radtest experiment:
# radtest tim.odriscoll MYPASS localhost 10 testing123
Sent Access-Request Id 138 from 0.0.0.0:41829 to 127.0.0.1:1812 length 99
      User-Name = "tim.odriscoll"
      User-Password = "MYPASS"
      NAS-IP-Address = 192.168.15.22
      NAS-Port = 10
      Message-Authenticator = 0x00
      Cleartext-Password = "MYPASS"
Received Access-Accept Id 138 from 127.0.0.1:1812 to 127.0.0.1:41829 length 36
      Tunnel-Type:0 = VLAN
      Tunnel-Medium-Type:0 = IEEE-802
      Tunnel-Private-Group-Id:0 = "30"

# radtest -t mschap tim.odriscoll MYPASS localhost 10 testing123
Sent Access-Request Id 108 from 0.0.0.0:33568 to 127.0.0.1:1812 length 139
      User-Name = "tim.odriscoll"
      MS-CHAP-Password = "MYPASS"
      NAS-IP-Address = 192.168.15.22
      NAS-Port = 10
      Message-Authenticator = 0x00
      Cleartext-Password = "MYPASS"
      MS-CHAP-Challenge = 0x84b5ae5ac964eb2c
      MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000da7a0095a13df2402e71c6c167eef1f1ae48514b721fa091
Received Access-Reject Id 108 from 127.0.0.1:1812 to 127.0.0.1:33568 length 61
      MS-CHAP-Error = "\000E=691 R=1 C=3e440e2c7065d8fb V=2"
(0) -: Expected Access-Accept got Access-Reject

Thank you for your assistance - I'm totally out of my depth here!

Tim

More information about the samba mailing list