Web lists-archives.com

Re: [Samba] question about ntlm




1) the user you are running wbinfo with, has access to the winbind_privileged folder?
2) does running "wbinfo --ntlmv2 -a 'DOMAIN\sometestuser' " changes the response you have?

Em 15/02/2017 12:24, L.P.H. van Belle via samba escreveu:
Hai,

Since im still having problems reading the man smb.conf about the NTLM settings, im asking here.

How do i allow NTLM auth for my proxy.

I have been playing around with :

         client NTLMv2 auth

         raw NTLMv2 auth

         ntlm auth

         lanman auth

i’ve added the proxy user to the winbind_privileged group.

and did set the needed rights.

chgrp winbindd_priv /var/lib/samba/winbindd_privileged/

adduser proxy winbindd_priv

Im trying to keep as much as possible to the default settings.

Im testing the following.

ntlm_auth --request-nt-key --username=someTestUser

ntlm_auth --request-lm-key --username=someTestUser

ntlm_auth --username=someTestUser --ntlmv2

ntlm_auth --username=someTestUser –lanman

ntlm_auth --username=someTestUser --krb5auth=someTestUser

ntlm_auth --diagnostics --username=someTestUser

wbinfo -a someTestUser

wbinfo --krb5auth=someTestUser

wbinfo --krb5auth='NTDOM\someTestUser'

wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD’

Situation .

Samba AD DC. 4.5.3

Config : ( left out the shares, the question is about auth )

[global]

         workgroup = NTDOM

         realm = INTERNAL.DOMAIN.TLD

         netbios name = DC1

         server role = active directory domain controller

         server services = -dns

         interfaces = 192.168.0.1 127.0.0.1

         bind interfaces only = yes

         time server = yes

         idmap_ldb:use rfc2307 = yes

         winbind nss info = rfc2307

         winbind expand groups = 4

         template shell = /bin/bash

         template homedir = /home/users/%U

         tls enabled = yes

My client setup.

Samba member 4.5.5  ( and testing 4.5.3 also )

[global]

     workgroup = NTDOM

     security = ads

     realm = INTERNAL.DOMAIN.TLD

     netbios name = PROXY2

     preferred master = no

     domain master = no

     host msdfs = no

     interfaces = 192.168.0.2 127.0.0.1

     bind interfaces only = yes

     dns proxy = yes

     tls enabled = yes

     idmap config *:backend = tdb

     idmap config *:range = 2000-9999

     idmap config NTDOM : backend = ad

     idmap config NTDOM : schema_mode = rfc2307

     idmap config NTDOM : range = 10000-3999999

     dedicated keytab file = /etc/krb5.keytab

     kerberos method = secrets and keytab

     winbind refresh tickets = yes

     winbind nss info = rfc2307

     winbind trusted domains only = no

     winbind offline logon = yes

     winbind expand groups = 4

Now im asking, where do we set what to make this work.

When i set in my proxy smb.conf

     lanman auth = yes

     raw NTLMv2 auth = yes

     ntlm auth = yes

im getting the same results as with above but =no

and im testing:

wbinfo -a "NTDOM\someTestUser"

Enter NTDOM\someTestUser's password:

plaintext password authentication succeeded

Enter NTDOM\someTestUser's password:

challenge/response password authentication failed

wbcAuthenticateUserEx(NTDOM\someTestUser): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)

error message was: Wrong Password

Could not authenticate user NTDOM\someTestUser with challenge/response

And same result for : wbinfo -a  someTestUser@xxxxxxxxxxxxxxxxxxx

If a default setting is like :  client plaintext auth = no

why do i get : plaintext password authentication succeeded

What is missing in my setup? Or do i have to setup a less secure AD DC to make this work?

Im still having a hard time to figure out if a setting is ADDC or member only and man smb.conf isnt telling me what i need to know.

so i dont get it.  :-((  Help :-))

Any assistance here is very welkom.  ;-)

Greetz,

Louis


--

	
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs@xxxxxxxxxxxxxx
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a E-TRUST, enviando um e-mail para suporte@xxxxxxxxxxxxxx. Opiniões, conclusões ou informações contidas nesta mensagem não necessariamente refletem a posição oficial da E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the intended recipients only. If you are not an intended recipient then you should not disseminate, copy, or take any action based on its contents. If you have received this message in error then please notify E-TRUST by sending an e-mail message to suporte@xxxxxxxxxxxxxx immediately. Views and opinions expressed in this message do not necessarily reflect the position of E-TRUST. If this message is digitally signed, its authenticity can be confirmed by E-TRUST Private Certificate Authority, available at www.e-trust.com.br.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba