[Samba] Authenticating a user on domain member
Rowland Penny
rpenny at samba.org
Sat Jan 25 17:05:47 UTC 2025
On Sat, 25 Jan 2025 07:27:00 -0800
Gopal Raman <graman at nilesecure.com> wrote:
> Hi Rowland
> Finally, my DC and domain member are in a good state and I was able to
> authenticate a user using the ntlm_auth program that I ran on the
> member host. I will
> describe the solution first because it may be helpful for others.
> I've also put down couple of things that still perplex me (room for
> improvement perhaps)
> I'm running a radius server on a Ubuntu host (named RadSrv) and it
> needs to authenticate users that use the MSChapV2 challenge-response
> protocol (PEAP). The DC has the user database (including the user
> password hash).
It is a bit more complicated than that, but that is the gist of it.
> Since we don't want to store any user info on the
> RadSrv domain member, the idea is to
> use the samba ntlm_auth command line utility to pass the username,
> challenge, and NT-Response to the DC and get back the NT-KEY (which
> is the hashhash
Good luck with that, while the DC is the main source of authentication,
each domain member caches usernames etc.
> of the UTF-16 encoded user password). I'm using Samba-4 (I cloned the
> samba Git repo and ran the compile and install steps).
Why ? you can find the latest Samba packages here:
http://www.corpit.ru/mjt/packages/samba/
> I used the
> smb.conf that you
> shared with me (Thank you !) on the member. On the DC I used a
> simpler one. Both are attached. Here are my main points
> 1 I used samba-tool to provision the DC and to join the member.
> Earlier, I was using commands like 'net ads join', 'realmd join' and
> It's possible these no longer do the
> right thing in Samba-4 ?
The problem is that there are three identity sources in play here:
1) Active directory SIDS stored in AD.
2) idmapping stored in idmap.ldb on a Samba DC.
3) The idmapping carried out on a Unix domain member.
All Windows clients will use '1'
All Samba AD DCs will use '2' and will use IDs in the '3000000' range
unless you add rfc2307 attributes to AD.
All Unix domain members use some form of idmapping and the smb.conf
must be set up correctly and the computer joined to the domain. To join
the domain you should use either 'net ads join' or 'samba-tool domain
join MEMBER', 'realmd' is not a Samba tool and, in my opinion, should
not be used to join Samba to an AD domain.
> On DC : samba-tool domain provision --use-rfc2307 --interactive
> --option="interfaces=ens16" --option="bind interfaces only=yes"
That is one of the correct ways to provision a new AD domain, but you
only really need to use '--use-rfc2307' if you require the ldif
framework for the old IDMU.
> On Member (RadSrv) : samba-tool domain join cn.lan MEMBER -s
> /usr/local/samba/etc/smb.conf -U Administrator
That is just a wrapper around 'net ads join'
> 2 Verify that the member is joined using "net ads -P status" and
> "samba-tool domain info -P dc1.cn.lan"
An even easier method is to use 'net ads testjoin'
> 3 Finally, the most important part is to pass the "--domain=cn.lan"
> option to ntlm_auth. Without this, winbindd complains that username
> is not found. This was the
> breakthrough that makes ntlm_auth work.
> ntlm_auth --allow-mschapv2 --domain=cn.lan --request-nt-key
> --username=nileadmin --challenge=eaea1458abf1a0b7
> --nt-response=8f9ab8760a15cd40f2686c5a4c7954922ed17fb9f4cad7b3
I know little about ntlm_auth, but, from its manpage, it appears that
'--domain=' should point to the Netbios domain, you appear to be using
the DNS domain. Also, where did you get the challenge & nt-response
hashes from. because your command (with my username and domain) doesn't
work for me, but:
ntlm_auth --allow-mschapv2 --domain=SAMDOM --request-nt-key --username=rowland
Password:
: (0x0)
Appears to work, and using radtest (which appears to be the recommend
way of testing) produces this:
radtest -t mschap username password localhost 0 testing123
Sent Access-Request Id 139 from 0.0.0.0:44935 to 127.0.0.1:1812 length 133
User-Name = "rowland"
MS-CHAP-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password"
MS-CHAP-Challenge = 0x995920c44bd2d787
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000ef9e5abe08134444c73a2e1750fb98844692fcb9c98e1549
Received Access-Accept Id 139 from 127.0.0.1:1812 to 127.0.0.1:44935 length 84
MS-CHAP-MPPE-Keys = 0x000000000000000024edc132c850f56682bbaf790571d388
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
> GOTCHAS
> 1 I had a simple smb.conf on the DC but testparm would always report
> that it was a "ROLE_DOMAIN_MEMBER" instead of
> "ROLE_ACTIVE_DIRECTORY_DC".
How did the 'simple' smb.conf get there ?
> Finally, I had to delete the
> smb.conf and run 'samba-tool domain provision'. This produced a
> smb.conf that finally gave the correct role.
That is the documented way of provisioning a new Samba AD domain
> I've attached it as
> NON_WORKING_smb.conf
I received it, I doubt others did, but it seems someone added half a
Unix domain member smb.conf and in doing so, broke it.
> 2 Why can't winbindd figure out the domain instead of having to pass
> it in explicitly ? This is not documented anywhere. Maybe it's a
> samba4 requirement
Not sure what you mean by that, 'wbinfo' is a way to connect to
winbindd and 'wbinfo --own-domain' should display the NetBIOS domain on
a Unix domain member.
Rowland
More information about the samba
mailing list