[Samba] Running ntlm_auth on Domain member vs running it on DC

Kees van Vloten keesvanvloten at gmail.com
Wed Jan 22 18:23:31 UTC 2025


Op 22-01-2025 om 19:07 schreef Gopal Raman via samba:
> I've setup Samba as an AD-DC on an Ubuntu 22.04. My goal is to use it for
> testing PEAP  MSChapv2 authentication on a Radius server where I want the
> Radius server to validate the MSChapV2 Challenge-Response sent by the
> client by talking to the Samba DC ecosystem. I'm using the ntlm_auth
> program to talk to Samba and it works as expected when I run it on the DC
> host in a bash shell like so:
> ntlm_auth --allow-mschapv2  --request-nt-key --username=nileadmin
> --challenge=eaea1458abf1a0b7
> --nt-response=8f9ab8760a15cd40f2686c5a4c7954922ed17fb9f4cad7b3
>
> The above is OK for testing, but in practice, I won't be able to run shell
> commands on the DC ( it could be a windows server ) so I have to run
> ntlm_auth on a different host. So I added another Linux server as a domain
> member and joined it to the domain. However, when I run the exact same
> ntlm_auth on the member host, it gives the error below
> *The attempted logon is invalid. This is either due to a bad username or
> authentication information. (0xc000006d)*
> I did a wireshark capture when I ran the above command and all I saw was a
> DCERPC request from the member to the DC and a DCERPC response. Wireshark
> says it's encrypted and I don't know how to get the key to decrypt it. I
> also don't see any activity in /var/log/samba/log.* files on the DC when I
> run the ntlm_auth program. I've set the logging levels to 10 for smbd,
> winbindd, and nmbd to 10 on the DC using smbcontrol
> My smb.conf file on the Domain member is below. I can provide the smb.conf
> on the AD DC on request if that helps
> [global]
>          winbind separator = +
>          winbind cache time = 10
>          template shell = /bin/bash
>          template homedir = /home/%D/%U
>          idmap config * : range = 10000-20000
>          workgroup = CN
>          security = domain
>          winbind use default domain = no
>          realm = CN.LAN
>          password server = *
>          ntlm auth = mschapv2-and-ntlmv2-only
>          winbind offline logon = false
>
> [homes]
>          comment = Home Directories
>          browseable = no
>          writable = yes
>
> Would really appreciate any help. I'm reviewing sources in source3/winbindd
> directory as we speak but it's quite involved !
> Gopal Raman
I am running exactly that it on an ordinary domain-joined linux host 
with winbind.
Here is my smb.conf:

[global]
         interfaces = lo
         bind interfaces only = yes
         netbios name = MYHOST
         dedicated keytab file = /etc/krb5.keytab
         realm = EXAMPLE.COM
         workgroup = EXAMPLE
         lock directory = /var/cache/samba
         idmap config example:backend = <type>   # Replace with your 
idmap settings
         idmap config example:unix_primary_group = yes
         idmap config example:unix_nss_info = yes
         idmap config *:backend = tdb
         idmap config *:range = 1000000-1999999
         winbind cache time = 300
         winbind offline logon = no
         winbind enum groups = no
         winbind enum users = no
         winbind nested groups = yes
         winbind expand groups = 10
         winbind normalize names = no
         winbind refresh tickets = yes
         winbind scan trusted domains = no
         winbind use default domain = yes
         kerberos method = secrets and keytab
         kerberos encryption types = strong
         rpc server dynamic port range = 50000-55000
         disable netbios = yes
         template homedir = /home/%U
         template shell = /bin/bash
         tls enabled = yes
         tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
         tls cafile = /etc/ssl/certs/ca.pem
         winbind request timeout = 10
         server role = member server


One thing I notice is that you are using:

         ntlm auth = mschapv2-and-ntlmv2-only

This setting should be present on the DC-servers, it is not required on 
the client.

- Kees




More information about the samba mailing list