Re: [Samba] freeradius + NTLM + samba AD 4.5.x

Date: Tue, 27 Mar 2018 01:22:00 +0200
From: Kacper Wirski via samba <samba@xxxxxxxxxxxxxxx>
Subject: Re: [Samba] freeradius + NTLM + samba AD 4.5.x

Hello,

I've done some further testing, and I have to correct myself.

I was (kind of obviously as I think about it) wrong about samba on thefreeradius server requiring v. 4.7. What makes all the difference is themethod used by mschap.

Traditionally in freeradius in mods-available/mschap you'll usesomething like:

ntlm_auth = "/path/to/ntlm_auth --request-nt-key--username=%{mschap:User-Name}--domain=DOMAIN--challenge=%{%{mschap:Challenge}:-00}--nt-response=%{%{mschap:NT-Response}:-00}"

but starting form freeradius 3.0.8 there is "newer" winbind method,using directly winbind daemon. From the docs it actually still usesntlm_auth, but for whatever reason this works, and "traditional"ntlm_auth doesn't.

So in your freeradius mods-enabled/mschap instead of ntlm_auth...... putsomething like this:


winbind_username = "%{mschap:User-Name}"
winbind_domain = "*WINDOWSDOMAIN*"

(not sure about external links in the mailing list, but here is the link to the freeradius doc explaining in detail:
https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind

What I can't test right now, if it will work with mchapv2 password change (if required), since freeradius relies directly on ntlm_auth there.


My question on the other hand is this:
- Why this "winbind" method works fine with "ntlm auth = mschpav2-and-ntlmv2-only" on the AD DC, but "ntlm_auth" doesn't? Winbind method supposedly also uses ntlm_auth in the end?

Regards,
Kacper


W dniu 26.03.2018 o 23:09, Jonathan Hunter via samba pisze:

On 26 March 2018 at 21:38, Kacper Wirski via samba <samba@xxxxxxxxxxxxxxx>
wrote:

While using "ntlm auth = yes" I was getting in audit log
Authentication_passwordType = NTLMv1, but with ntlm auth =
ntlmv2-and-mschap2-only audit log shows Authentication_passwordType as
"MSCHAP2"

Thanks.

(FYI - the correct parameter is 'mschapv2-and-ntlmv2-only' :) )

With ntlm-auth set to this, I get '[NTLMv1] status
[NT_STATUS_WRONG_PASSWORD]'.

Setting back to 'ntlm-auth=yes' in smb.conf, I get '[NTLMv1] status
[NT_STATUS_OK]' and things work again.

Adding 'ntlm-auth=yes' to a newly included (via 'include = smb.conf.%I')
file called "smb.conf.127.0.0.1" doesn't help me, since ntlm-auth talks to
winbindd as far as I can see, and therefore that new config file is never
used.

Kacper - what do you have in your freeradius config, in terms of your
ntlm_auth command line?

Cheers

Jonathan


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Follow-Ups:
- Re: [Samba] freeradius + NTLM + samba AD 4.5.x
  - From: Andrew Bartlett via samba

References:
- [Samba] freeradius + NTLM + samba AD 4.5.x
  - From: Dr. Peer-Joachim Koch via samba
- Re: [Samba] freeradius + NTLM + samba AD 4.5.x
  - From: Rowland Penny via samba
- Re: [Samba] freeradius + NTLM + samba AD 4.5.x
  - From: Kacper Wirski via samba
- Re: [Samba] freeradius + NTLM + samba AD 4.5.x
  - From: Jonathan Hunter via samba
- Re: [Samba] freeradius + NTLM + samba AD 4.5.x
  - From: Kacper Wirski via samba
- Re: [Samba] freeradius + NTLM + samba AD 4.5.x
  - From: Jonathan Hunter via samba

Prev by Date: Re: [Samba] Replication Failure Issue
Next by Date: Re: [Samba] freeradius + NTLM + samba AD 4.5.x
Previous by thread: Re: [Samba] freeradius + NTLM + samba AD 4.5.x
Next by thread: Re: [Samba] freeradius + NTLM + samba AD 4.5.x
Index(es):
- Date
- Thread

lists-archives.com

Re: [Samba] freeradius + NTLM + samba AD 4.5.x