[Samba] Authenticating a user on domain member
Gopal Raman
graman at nilesecure.com
Sat Jan 25 15:27:00 UTC 2025
Hi Rowland
Finally, my DC and domain member are in a good state and I was able to
authenticate a user using the ntlm_auth program that I ran on the member
host. I will
describe the solution first because it may be helpful for others. I've also
put down couple of things that still perplex me (room for improvement
perhaps)
I'm running a radius server on a Ubuntu host (named RadSrv) and it needs to
authenticate users that use the MSChapV2 challenge-response protocol (PEAP).
The DC has the user database (including the user password hash). Since we
don't want to store any user info on the RadSrv domain member, the idea is
to
use the samba ntlm_auth command line utility to pass the username,
challenge, and NT-Response to the DC and get back the NT-KEY (which is the
hashhash
of the UTF-16 encoded user password). I'm using Samba-4 (I cloned the samba
Git repo and ran the compile and install steps). I used the smb.conf that
you
shared with me (Thank you !) on the member. On the DC I used a simpler one.
Both are attached. Here are my main points
1 I used samba-tool to provision the DC and to join the member. Earlier, I
was using commands like 'net ads join', 'realmd join' and It's possible
these no longer do the
right thing in Samba-4 ?
On DC : samba-tool domain provision --use-rfc2307 --interactive
--option="interfaces=ens16" --option="bind interfaces only=yes"
On Member (RadSrv) : samba-tool domain join cn.lan MEMBER -s
/usr/local/samba/etc/smb.conf -U Administrator
2 Verify that the member is joined using "net ads -P status" and
"samba-tool domain info -P dc1.cn.lan"
3 Finally, the most important part is to pass the "--domain=cn.lan" option
to ntlm_auth. Without this, winbindd complains that username is not found.
This was the
breakthrough that makes ntlm_auth work.
ntlm_auth --allow-mschapv2 --domain=cn.lan --request-nt-key
--username=nileadmin --challenge=eaea1458abf1a0b7
--nt-response=8f9ab8760a15cd40f2686c5a4c7954922ed17fb9f4cad7b3
GOTCHAS
1 I had a simple smb.conf on the DC but testparm would always report that
it was a "ROLE_DOMAIN_MEMBER" instead of "ROLE_ACTIVE_DIRECTORY_DC".
Finally, I had to delete the
smb.conf and run 'samba-tool domain provision'. This produced a
smb.conf that finally gave the correct role. I've attached it as
NON_WORKING_smb.conf
2 Why can't winbindd figure out the domain instead of having to pass it in
explicitly ? This is not documented anywhere. Maybe it's a samba4
requirement
Help Much appreciated,
SIncerely
Gopal Raman
On Fri, Jan 24, 2025 at 12:56 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 23 Jan 2025 16:14:43 -0800
> Gopal Raman via samba <samba at lists.samba.org> wrote:
>
> > Hi
> > I have a Samba AD-DC (on ubuntu) and I've created a user on it the DC
> > called nileadmin.
> > On the DC, 'pdbedit -w nileadmin' finds the entry and returns
> >
> nileadmin:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:6590718693B2E602D30F67B848E08AE9:[U
> > ]:LCT-678A9897:
> >
> > I've joined a member (also a ubuntu host running samba) to the
> > domain. The join is successful. But when I run the pdbedit command on
> > the member it says "Username not found!"
> > Also on the member, pdbedit -L returns no output
> >
>
> First, can I suggest you stop using the old tools written for Samba 3,
> use the Linux tools and samba-tool, for instance, does 'getent passwd
> nileadmin' produce output and if so, what ?
>
> After your last post, I attempted to get this working in my domain and
> succeeded.
>
> Try this smb.conf:
>
> [global]
> workgroup = CN
> security = ADS
> realm = CN.LAN
>
> dedicated keytab file = /etc/krb5.keytab
> sync machine password to keytab =
> /etc/krb5.keytab:sync_spns:sync_kvno:machine_password
> server string = Samba Client %h
>
> winbind use default domain = yes
> winbind expand groups = 2
> winbind refresh tickets = Yes
> winbind offline logon = yes
> winbind request timeout = 10
> disable netbios = yes
> ntlm auth = mschapv2-and-ntlmv2-only
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config CN : backend = rid
> idmap config CN : range = 10000-999999
> template shell = /bin/bash
> template homedir = /home/%U
>
> vfs objects = acl_xattr
> map acl inherit = Yes
>
> # Comment the following 4 lines to act as a print server
> printcap name = /dev/null
> load printers = no
> disable spoolss = yes
> printing = bsd
>
> # logging
> log level = 1
> log file = /var/log/samba/%m.log
> logging = file
>
> Add 'ntlm auth = mschapv2-and-ntlmv2-only' to the smb.conf file of your
> Samba AD DC.
>
> Comment out 'winbind_domain = "%{mschap:NT-Domain}"' in
> /etc/freeradius/3.0/mods-available/mschap
>
> Add the freeradius user 'freerad' to the 'winbindd_priv' group:
>
> sudo usermod -a -G winbindd_priv freerad
>
> Then test with:
>
> radtest -t mschap nileadmin <nileadmins password> localhost 0 testing123
>
> You should see 'Access-Accept' in the output.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list