[Samba] Running ntlm_auth on Domain member vs running it on DC

Rowland Penny rpenny at samba.org
Wed Jan 22 18:34:07 UTC 2025 

On Wed, 22 Jan 2025 10:07:36 -0800
Gopal Raman via samba <samba at lists.samba.org> wrote:

> I've setup Samba as an AD-DC on an Ubuntu 22.04. My goal is to use it
> for testing PEAP  MSChapv2 authentication on a Radius server where I
> want the Radius server to validate the MSChapV2 Challenge-Response
> sent by the client by talking to the Samba DC ecosystem. I'm using
> the ntlm_auth program to talk to Samba and it works as expected when
> I run it on the DC host in a bash shell like so:
> ntlm_auth --allow-mschapv2  --request-nt-key --username=nileadmin
> --challenge=eaea1458abf1a0b7
> --nt-response=8f9ab8760a15cd40f2686c5a4c7954922ed17fb9f4cad7b3
> 
> The above is OK for testing, but in practice, I won't be able to run
> shell commands on the DC ( it could be a windows server ) so I have
> to run ntlm_auth on a different host. So I added another Linux server
> as a domain member and joined it to the domain. However, when I run
> the exact same ntlm_auth on the member host, it gives the error below
> *The attempted logon is invalid. This is either due to a bad username
> or authentication information. (0xc000006d)*
> I did a wireshark capture when I ran the above command and all I saw
> was a DCERPC request from the member to the DC and a DCERPC response.
> Wireshark says it's encrypted and I don't know how to get the key to
> decrypt it. I also don't see any activity in /var/log/samba/log.*
> files on the DC when I run the ntlm_auth program. I've set the
> logging levels to 10 for smbd, winbindd, and nmbd to 10 on the DC
> using smbcontrol My smb.conf file on the Domain member is below. I
> can provide the smb.conf on the AD DC on request if that helps
> [global]
>         winbind separator = +
>         winbind cache time = 10
>         template shell = /bin/bash
>         template homedir = /home/%D/%U
>         idmap config * : range = 10000-20000
>         workgroup = CN
>         security = domain
>         winbind use default domain = no
>         realm = CN.LAN
>         password server = *
>         ntlm auth = mschapv2-and-ntlmv2-only
>         winbind offline logon = false
> 

If you run your smb.conf through testparm, you get this:

Load smb config files from testconf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

'winbind separator = +' might cause problems with group membership.

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
	ntlm auth = mschapv2-and-ntlmv2-only
	realm = CN.LAN
	security = DOMAIN
	template shell = /bin/bash
	winbind cache time = 10
	winbind separator = +
	workgroup = CN
	idmap config * : range = 10000-20000
	idmap config * : backend = tdb

For AD the 'security line is wrong, it should be set to 'ADS', not
'DOMAIN'

Your single 'idmap config' line has become two, but it should be at
least four, or use a different backend, I suggest you read this:

https://wiki.samba.org/index.php/Idmap_config_rid

Also, if you are using sssd, I would stop doing this.

Rowland

More information about the samba mailing list