Web lists-archives.com

Re: [Samba] freeradius + NTLM + samba AD 4.5.x




Hello,

I've done some further testing, and I have to correct myself.

I was (kind of obviously as I think about it) wrong about samba on the freeradius server requiring v. 4.7. What makes all the difference is the method used by mschap.

Traditionally in freeradius in mods-available/mschap you'll use something like:

ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=DOMAIN--challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"


but starting form freeradius 3.0.8 there is "newer" winbind method, using directly winbind daemon. From the docs it actually still uses ntlm_auth, but for whatever reason this works, and "traditional" ntlm_auth doesn't.

So in your freeradius mods-enabled/mschap instead of ntlm_auth...... put something like this:

winbind_username = "%{mschap:User-Name}"
winbind_domain = "*WINDOWSDOMAIN*"

(not sure about external links in the mailing list, but here is the link to the freeradius doc explaining in detail:
https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind

What I can't test right now, if it will work with mchapv2 password change (if required), since freeradius relies directly on ntlm_auth there.


My question on the other hand is this:
- Why this "winbind" method works fine with "ntlm auth = mschpav2-and-ntlmv2-only" on the AD DC, but "ntlm_auth" doesn't? Winbind method supposedly also uses ntlm_auth in the end?

Regards,
Kacper


W dniu 26.03.2018 o 23:09, Jonathan Hunter via samba pisze:
On 26 March 2018 at 21:38, Kacper Wirski via samba <samba@xxxxxxxxxxxxxxx>
wrote:

While using "ntlm auth = yes" I was getting in audit log
Authentication_passwordType = NTLMv1, but with ntlm auth =
ntlmv2-and-mschap2-only audit log shows Authentication_passwordType as
"MSCHAP2"

Thanks.
(FYI - the correct parameter is 'mschapv2-and-ntlmv2-only' :) )

With ntlm-auth set to this, I get '[NTLMv1] status
[NT_STATUS_WRONG_PASSWORD]'.

Setting back to 'ntlm-auth=yes' in smb.conf, I get '[NTLMv1] status
[NT_STATUS_OK]' and things work again.

Adding 'ntlm-auth=yes' to a newly included (via 'include = smb.conf.%I')
file called "smb.conf.127.0.0.1" doesn't help me, since ntlm-auth talks to
winbindd as far as I can see, and therefore that new config file is never
used.

Kacper - what do you have in your freeradius config, in terms of your
ntlm_auth command line?

Cheers

Jonathan


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba