[Samba] Running ntlm_auth on Domain member vs running it on DC
Gopal Raman
graman at nilesecure.com
Wed Jan 22 22:14:55 UTC 2025
Hi
I tried the above smb.conf file but the behavior is exactly the same ( I
picked reasonable values and restarted smbd and winbind ).
testparam does not complain. After the member joins the domain, all the
commands below run without complaints
net ads user
net ads lookup
wbinfo -t
/etc/samba/smb.conf
[global]
interfaces = 10.1.4.0/24
bind interfaces only = yes
netbios name = vm2
security = ads
dedicated keytab file = /etc/krb5.keytab
realm = CN.LAN
workgroup = CN
lock directory = /var/cache/samba
username map = /usr/local/samba/etc/user.map
idmap config cn : backend = rid
idmap config cn : range = 10000-999999
idmap config *:backend = tdb
idmap config *:range = 1000000-1999999
winbind cache time = 300
winbind offline logon = no
winbind enum groups = no
winbind enum users = no
winbind nested groups = yes
winbind expand groups = 10
winbind normalize names = no
winbind refresh tickets = yes
winbind use default domain = yes
kerberos method = secrets and keytab
kerberos encryption types = strong
rpc server dynamic port range = 50000-55000
disable netbios = yes
template homedir = /home/%U
template shell = /bin/bash
tls enabled = yes
tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
tls cafile = /etc/ssl/certs/ca.pem
winbind request timeout = 10
server role = member server
I join the domain using the command "net ads join -U Administrator". It did
not give me any errors. Also the output of 'net ads user' and 'net ads
lookup' seem good
But when I run the command below on the member host, it says "The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)".
I have debug level 5 set in both DC and member and it spits out a bunch of
debug every time I run the ntlm_auth command. Since it works on the DC, the
only difference I could see
in the debug output is that on the DC it has these few additional lines. I
do not see these lines in the member
pm_process() returned Yes
interpret_interface: using netmask value 24 from config file on
interface ens16
added interface ens16 ip=10.1.4.74 bcast=10.1.4.255
netmask=255.255.255.0
lp_load_ex: refreshing parameters
ntlm_auth --allow-mschapv2 --request-nt-key --username=nileadmin
--challenge=eaea1458abf1a0b7
--nt-response=8f9ab8760a15cd40f2686c5a4c7954922ed17fb9f4cad7b3
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
doing parameter security = ads
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter realm = CN.LAN
doing parameter workgroup = CN
doing parameter lock directory = /var/cache/samba
doing parameter username map = /usr/local/samba/etc/user.map
doing parameter idmap config cn : backend = rid
doing parameter idmap config cn : range = 10000-999999
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 1000000-1999999
doing parameter winbind cache time = 300
doing parameter winbind offline logon = no
doing parameter winbind enum groups = no
doing parameter winbind enum users = no
doing parameter winbind nested groups = yes
doing parameter winbind expand groups = 10
doing parameter winbind normalize names = no
doing parameter winbind refresh tickets = yes
doing parameter winbind use default domain = yes
doing parameter kerberos method = secrets and keytab
doing parameter kerberos encryption types = strong
doing parameter rpc server dynamic port range = 50000-55000
doing parameter disable netbios = yes
doing parameter template homedir = /home/%U
doing parameter template shell = /bin/bash
doing parameter winbind request timeout = 10
doing parameter server role = member server
pm_process() returned Yes
The attempted logon is invalid. This is either due to a bad username or
authentication information. (0xc000006d)
On Wed, Jan 22, 2025 at 10:23 AM Kees van Vloten via samba <
samba at lists.samba.org> wrote:
>
> Op 22-01-2025 om 19:07 schreef Gopal Raman via samba:
> > I've setup Samba as an AD-DC on an Ubuntu 22.04. My goal is to use it for
> > testing PEAP MSChapv2 authentication on a Radius server where I want the
> > Radius server to validate the MSChapV2 Challenge-Response sent by the
> > client by talking to the Samba DC ecosystem. I'm using the ntlm_auth
> > program to talk to Samba and it works as expected when I run it on the DC
> > host in a bash shell like so:
> > ntlm_auth --allow-mschapv2 --request-nt-key --username=nileadmin
> > --challenge=eaea1458abf1a0b7
> > --nt-response=8f9ab8760a15cd40f2686c5a4c7954922ed17fb9f4cad7b3
> >
> > The above is OK for testing, but in practice, I won't be able to run
> shell
> > commands on the DC ( it could be a windows server ) so I have to run
> > ntlm_auth on a different host. So I added another Linux server as a
> domain
> > member and joined it to the domain. However, when I run the exact same
> > ntlm_auth on the member host, it gives the error below
> > *The attempted logon is invalid. This is either due to a bad username or
> > authentication information. (0xc000006d)*
> > I did a wireshark capture when I ran the above command and all I saw was
> a
> > DCERPC request from the member to the DC and a DCERPC response. Wireshark
> > says it's encrypted and I don't know how to get the key to decrypt it. I
> > also don't see any activity in /var/log/samba/log.* files on the DC when
> I
> > run the ntlm_auth program. I've set the logging levels to 10 for smbd,
> > winbindd, and nmbd to 10 on the DC using smbcontrol
> > My smb.conf file on the Domain member is below. I can provide the
> smb.conf
> > on the AD DC on request if that helps
> > [global]
> > winbind separator = +
> > winbind cache time = 10
> > template shell = /bin/bash
> > template homedir = /home/%D/%U
> > idmap config * : range = 10000-20000
> > workgroup = CN
> > security = domain
> > winbind use default domain = no
> > realm = CN.LAN
> > password server = *
> > ntlm auth = mschapv2-and-ntlmv2-only
> > winbind offline logon = false
> >
> > [homes]
> > comment = Home Directories
> > browseable = no
> > writable = yes
> >
> > Would really appreciate any help. I'm reviewing sources in
> source3/winbindd
> > directory as we speak but it's quite involved !
> > Gopal Raman
> I am running exactly that it on an ordinary domain-joined linux host
> with winbind.
> Here is my smb.conf:
>
> [global]
> interfaces = lo
> bind interfaces only = yes
> netbios name = MYHOST
> dedicated keytab file = /etc/krb5.keytab
> realm = EXAMPLE.COM
> workgroup = EXAMPLE
> lock directory = /var/cache/samba
> idmap config example:backend = <type> # Replace with your
> idmap settings
> idmap config example:unix_primary_group = yes
> idmap config example:unix_nss_info = yes
> idmap config *:backend = tdb
> idmap config *:range = 1000000-1999999
> winbind cache time = 300
> winbind offline logon = no
> winbind enum groups = no
> winbind enum users = no
> winbind nested groups = yes
> winbind expand groups = 10
> winbind normalize names = no
> winbind refresh tickets = yes
> winbind scan trusted domains = no
> winbind use default domain = yes
> kerberos method = secrets and keytab
> kerberos encryption types = strong
> rpc server dynamic port range = 50000-55000
> disable netbios = yes
> template homedir = /home/%U
> template shell = /bin/bash
> tls enabled = yes
> tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
> tls cafile = /etc/ssl/certs/ca.pem
> winbind request timeout = 10
> server role = member server
>
>
> One thing I notice is that you are using:
>
> ntlm auth = mschapv2-and-ntlmv2-only
>
> This setting should be present on the DC-servers, it is not required on
> the client.
>
> - Kees
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list