[Samba] Fwd: ntlm_auth and freeradius

Andrew Bartlett abartlet at samba.org
Tue Apr 4 08:04:09 UTC 2023 

On Tue, 2023-04-04 at 07:55 +0000, Tim ODriscoll wrote:
> On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote:
> 
> 
> 
> 
> > Unfortunately it's still erroring out:
> > (7) mschap: Creating challenge hash with username: host/SL-
> > 6S4BBS3.MYDOMAIN.co.uk
> > (7) mschap: Client is using MS-CHAPv2
> 
> 
> 
> > Is this set as a UPN (with the realm appended) on the user?
> 
> 
> 
> 
> I don't see any UPN's in my AD record, only SPNs - unless I
> misunderstand you?
> 
> 
> 
> 
> 
> 
> 
> 
> I've run the 'radtest' client with '-t mschap' and without as
> parameters. Without '-t mschap' works, but with it fails.
> 
> 
> 
> 
> 
> 
> 
> I've narrowed down the authenticating DC, turned up logging and found
> this:
> 
> 
> [2023/04/04 08:36:31.653500,  3]
> ../../source4/auth/ntlm/auth.c:207(auth_check_password_send)
>   auth_check_password_send: Checking password for unmapped user
> [lambrook]\[tim.odriscoll]@[\\FILESB01]
> 
>   auth_check_password_send: user is:
> [lambrook]\[tim.odriscoll]@[\\FILESB01]
> 
> [2023/04/04 08:36:31.653534,  5]
> ../../source4/auth/ntlm/auth.c:70(auth_get_challenge)
> 
>   auth_get_challenge: returning previous challenge by module
> netr_LogonSamLogonWithFlags (normal)
> 
> [2023/04/04 08:36:31.662327,  2]
> ../../libcli/auth/ntlm_check.c:473(ntlm_password_check)
> 
>   ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user
> tim.odriscoll

You said earlier that you have set ntlm auth = mschapv2-and-ntlmv2-only

This means to reject NTLMv1, which MSCHAPv2  is cryptographically,
unless the client makes special pleading that it used MSCHAPv2 with
it's client. 

This is related  to the missing ntlm_auth option  --allow-mschapv2


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst.Net Limited
Catalyst.Net Ltd - a Catalyst IT group company - Expert Open SourceSolutions

More information about the samba mailing list