[Samba] Running ntlm_auth on Domain member vs running it on DC
Kees van Vloten
keesvanvloten at gmail.com
Wed Jan 22 18:23:31 UTC 2025
Op 22-01-2025 om 19:07 schreef Gopal Raman via samba:
> I've setup Samba as an AD-DC on an Ubuntu 22.04. My goal is to use it for
> testing PEAP MSChapv2 authentication on a Radius server where I want the
> Radius server to validate the MSChapV2 Challenge-Response sent by the
> client by talking to the Samba DC ecosystem. I'm using the ntlm_auth
> program to talk to Samba and it works as expected when I run it on the DC
> host in a bash shell like so:
> ntlm_auth --allow-mschapv2 --request-nt-key --username=nileadmin
> --challenge=eaea1458abf1a0b7
> --nt-response=8f9ab8760a15cd40f2686c5a4c7954922ed17fb9f4cad7b3
>
> The above is OK for testing, but in practice, I won't be able to run shell
> commands on the DC ( it could be a windows server ) so I have to run
> ntlm_auth on a different host. So I added another Linux server as a domain
> member and joined it to the domain. However, when I run the exact same
> ntlm_auth on the member host, it gives the error below
> *The attempted logon is invalid. This is either due to a bad username or
> authentication information. (0xc000006d)*
> I did a wireshark capture when I ran the above command and all I saw was a
> DCERPC request from the member to the DC and a DCERPC response. Wireshark
> says it's encrypted and I don't know how to get the key to decrypt it. I
> also don't see any activity in /var/log/samba/log.* files on the DC when I
> run the ntlm_auth program. I've set the logging levels to 10 for smbd,
> winbindd, and nmbd to 10 on the DC using smbcontrol
> My smb.conf file on the Domain member is below. I can provide the smb.conf
> on the AD DC on request if that helps
> [global]
> winbind separator = +
> winbind cache time = 10
> template shell = /bin/bash
> template homedir = /home/%D/%U
> idmap config * : range = 10000-20000
> workgroup = CN
> security = domain
> winbind use default domain = no
> realm = CN.LAN
> password server = *
> ntlm auth = mschapv2-and-ntlmv2-only
> winbind offline logon = false
>
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
>
> Would really appreciate any help. I'm reviewing sources in source3/winbindd
> directory as we speak but it's quite involved !
> Gopal Raman
I am running exactly that it on an ordinary domain-joined linux host
with winbind.
Here is my smb.conf:
[global]
interfaces = lo
bind interfaces only = yes
netbios name = MYHOST
dedicated keytab file = /etc/krb5.keytab
realm = EXAMPLE.COM
workgroup = EXAMPLE
lock directory = /var/cache/samba
idmap config example:backend = <type> # Replace with your
idmap settings
idmap config example:unix_primary_group = yes
idmap config example:unix_nss_info = yes
idmap config *:backend = tdb
idmap config *:range = 1000000-1999999
winbind cache time = 300
winbind offline logon = no
winbind enum groups = no
winbind enum users = no
winbind nested groups = yes
winbind expand groups = 10
winbind normalize names = no
winbind refresh tickets = yes
winbind scan trusted domains = no
winbind use default domain = yes
kerberos method = secrets and keytab
kerberos encryption types = strong
rpc server dynamic port range = 50000-55000
disable netbios = yes
template homedir = /home/%U
template shell = /bin/bash
tls enabled = yes
tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
tls cafile = /etc/ssl/certs/ca.pem
winbind request timeout = 10
server role = member server
One thing I notice is that you are using:
ntlm auth = mschapv2-and-ntlmv2-only
This setting should be present on the DC-servers, it is not required on
the client.
- Kees
More information about the samba
mailing list