Re: [Samba] freeradius + NTLM + samba AD 4.5.x
- Date: Tue, 27 Mar 2018 01:22:00 +0200
- From: Kacper Wirski via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] freeradius + NTLM + samba AD 4.5.x
Hello,
I've done some further testing, and I have to correct myself.
I was (kind of obviously as I think about it) wrong about samba on the
freeradius server requiring v. 4.7. What makes all the difference is the
method used by mschap.
Traditionally in freeradius in mods-available/mschap you'll use
something like:
ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{mschap:User-Name}
--domain=DOMAIN--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
but starting form freeradius 3.0.8 there is "newer" winbind method,
using directly winbind daemon. From the docs it actually still uses
ntlm_auth, but for whatever reason this works, and "traditional"
ntlm_auth doesn't.
So in your freeradius mods-enabled/mschap instead of ntlm_auth...... put
something like this:
winbind_username = "%{mschap:User-Name}"
winbind_domain = "*WINDOWSDOMAIN*"
(not sure about external links in the mailing list, but here is the link to the freeradius doc explaining in detail:
https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
What I can't test right now, if it will work with mchapv2 password change (if required), since freeradius relies directly on ntlm_auth there.
My question on the other hand is this:
- Why this "winbind" method works fine with "ntlm auth = mschpav2-and-ntlmv2-only" on the AD DC, but "ntlm_auth" doesn't? Winbind method supposedly also uses ntlm_auth in the end?
Regards,
Kacper
W dniu 26.03.2018 o 23:09, Jonathan Hunter via samba pisze:
On 26 March 2018 at 21:38, Kacper Wirski via samba <samba@xxxxxxxxxxxxxxx>
wrote:
While using "ntlm auth = yes" I was getting in audit log
Authentication_passwordType = NTLMv1, but with ntlm auth =
ntlmv2-and-mschap2-only audit log shows Authentication_passwordType as
"MSCHAP2"
Thanks.
(FYI - the correct parameter is 'mschapv2-and-ntlmv2-only' :) )
With ntlm-auth set to this, I get '[NTLMv1] status
[NT_STATUS_WRONG_PASSWORD]'.
Setting back to 'ntlm-auth=yes' in smb.conf, I get '[NTLMv1] status
[NT_STATUS_OK]' and things work again.
Adding 'ntlm-auth=yes' to a newly included (via 'include = smb.conf.%I')
file called "smb.conf.127.0.0.1" doesn't help me, since ntlm-auth talks to
winbindd as far as I can see, and therefore that new config file is never
used.
Kacper - what do you have in your freeradius config, in terms of your
ntlm_auth command line?
Cheers
Jonathan
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba