[Samba] Running ntlm_auth on Domain member vs running it on DC

Gopal Raman graman at nilesecure.com
Wed Jan 22 18:07:36 UTC 2025


I've setup Samba as an AD-DC on an Ubuntu 22.04. My goal is to use it for
testing PEAP  MSChapv2 authentication on a Radius server where I want the
Radius server to validate the MSChapV2 Challenge-Response sent by the
client by talking to the Samba DC ecosystem. I'm using the ntlm_auth
program to talk to Samba and it works as expected when I run it on the DC
host in a bash shell like so:
ntlm_auth --allow-mschapv2  --request-nt-key --username=nileadmin
--challenge=eaea1458abf1a0b7
--nt-response=8f9ab8760a15cd40f2686c5a4c7954922ed17fb9f4cad7b3

The above is OK for testing, but in practice, I won't be able to run shell
commands on the DC ( it could be a windows server ) so I have to run
ntlm_auth on a different host. So I added another Linux server as a domain
member and joined it to the domain. However, when I run the exact same
ntlm_auth on the member host, it gives the error below
*The attempted logon is invalid. This is either due to a bad username or
authentication information. (0xc000006d)*
I did a wireshark capture when I ran the above command and all I saw was a
DCERPC request from the member to the DC and a DCERPC response. Wireshark
says it's encrypted and I don't know how to get the key to decrypt it. I
also don't see any activity in /var/log/samba/log.* files on the DC when I
run the ntlm_auth program. I've set the logging levels to 10 for smbd,
winbindd, and nmbd to 10 on the DC using smbcontrol
My smb.conf file on the Domain member is below. I can provide the smb.conf
on the AD DC on request if that helps
[global]
        winbind separator = +
        winbind cache time = 10
        template shell = /bin/bash
        template homedir = /home/%D/%U
        idmap config * : range = 10000-20000
        workgroup = CN
        security = domain
        winbind use default domain = no
        realm = CN.LAN
        password server = *
        ntlm auth = mschapv2-and-ntlmv2-only
        winbind offline logon = false

[homes]
        comment = Home Directories
        browseable = no
        writable = yes

Would really appreciate any help. I'm reviewing sources in source3/winbindd
directory as we speak but it's quite involved !
Gopal Raman


More information about the samba mailing list