[Samba] Running ntlm_auth on Domain member vs running it on DC
Gopal Raman
graman at nilesecure.com
Wed Jan 22 18:07:36 UTC 2025
I've setup Samba as an AD-DC on an Ubuntu 22.04. My goal is to use it for
testing PEAP MSChapv2 authentication on a Radius server where I want the
Radius server to validate the MSChapV2 Challenge-Response sent by the
client by talking to the Samba DC ecosystem. I'm using the ntlm_auth
program to talk to Samba and it works as expected when I run it on the DC
host in a bash shell like so:
ntlm_auth --allow-mschapv2 --request-nt-key --username=nileadmin
--challenge=eaea1458abf1a0b7
--nt-response=8f9ab8760a15cd40f2686c5a4c7954922ed17fb9f4cad7b3
The above is OK for testing, but in practice, I won't be able to run shell
commands on the DC ( it could be a windows server ) so I have to run
ntlm_auth on a different host. So I added another Linux server as a domain
member and joined it to the domain. However, when I run the exact same
ntlm_auth on the member host, it gives the error below
*The attempted logon is invalid. This is either due to a bad username or
authentication information. (0xc000006d)*
I did a wireshark capture when I ran the above command and all I saw was a
DCERPC request from the member to the DC and a DCERPC response. Wireshark
says it's encrypted and I don't know how to get the key to decrypt it. I
also don't see any activity in /var/log/samba/log.* files on the DC when I
run the ntlm_auth program. I've set the logging levels to 10 for smbd,
winbindd, and nmbd to 10 on the DC using smbcontrol
My smb.conf file on the Domain member is below. I can provide the smb.conf
on the AD DC on request if that helps
[global]
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%D/%U
idmap config * : range = 10000-20000
workgroup = CN
security = domain
winbind use default domain = no
realm = CN.LAN
password server = *
ntlm auth = mschapv2-and-ntlmv2-only
winbind offline logon = false
[homes]
comment = Home Directories
browseable = no
writable = yes
Would really appreciate any help. I'm reviewing sources in source3/winbindd
directory as we speak but it's quite involved !
Gopal Raman
More information about the samba
mailing list