Web lists-archives.com

Re: [Samba] ODP: Re: freeradius + NTLM + samba AD 4.5.x


I can definately confirm that it's working.

My basic setup is:

1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7

2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x

smb.conf on the DC is pretty basic, most important is obviously in [globall]:

        ntlm auth = mschapv2-and-ntlmv2-only

On server with freeradius + samba 4.6.2:

machine is added to AD using samba with net ads join.

Most important configuration to make mschapv2 only with ntlmv1 overall disabled (except for mschapv2) is setting in freeradius in /mods-available/mschap:

mschap {


ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2* --request-nt-key --username=%{mschap:User-Name} --domain=WINDOWSDOMAIN --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

OR (if your Freeradius supports it)

winbind_username = "%{%{mschap:User-Name}:-00}"
winbind_domain = "WINDOWSDOMAIN"

The former works just fine, the latter requires freeradius to be built with winbind auth, for example for centos i had to rebuild rpm and add to ./configure path to winbind libraries.

That's all that's needed to change from the "standard", well documented  freeradius/AD integration for the integration.

If there are going to be password changes with freeradius ("your password has expired" - type - scenarios) You should probably also configure in /mods-available/mschap additionaly:

passchange {
                ntlm_auth = "/path/to/ntlm_auth --helper-protocol=ntlm-change-password-1 *--allow-mschapv2*"
                ntlm_auth_username = "username: %{mschap:User-Name}"
                ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN"

I'm saying "should probably configure" because  with the settings as above it works just fine, so even it's unnecessary, it doesn't break anything, and unfortunately I was unable to test if it works (I doubt it) without this option while denying ntlmv1 overall on ad dc.

If everything works as intented, in the AD DC audit log You will see something like this: {"timestamp": "some-date0", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "ipv4:xxx.xxx.xxx.xxx", "remoteAddress": "ipv4:xxx.xxx.xxx.xxx:58046", "serviceDescription": "SamLogon", "authDescription": "network", "clientDomain": "WINDOWSDOMAIN", "clientAccount": "some-user", "workstation": "\\\\SOME-HOST", "becameAccount": "some-user", "becameDomain": "WINDOWSDOMAIN", "becameSid": "SOME-SID", "mappedAccount": "some-user", "mappedDomain": "WINDOWSDOMAIN", "netlogonComputer": "SOME-HOST", "netlogonTrustAccount": "SOME-HOST$", "netlogonNegotiateFlags": "0x610FFFFF", "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": "somesid, *"passwordType": "MSCHAPv2"*}}

Without "--allow-mschapv2" You would see "passwordType":"NTLMv1".

Also I have no idea when ntlm_auth --allow-mschapv2 option was added?

W dniu 27.03.2018 o 10:06, Rowland Penny via samba pisze:
On Tue, 27 Mar 2018 09:36:42 +0200
"k.wirski via samba" <samba@xxxxxxxxxxxxxxx> wrote:

ok, tested it, and it works.

so to summarize:
on samba ad 4.7.x  in smb.conf "ntlm auth" is set to
"mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in
mods-available/mschap you have to add to ntlm_auth --allow-mschapv2
to the whole string OR just use winbind method, which sets correct
flag without explicitly adding it.
Not sure it will work with 4.6 as it doesn't have the required
'mschapv2-and-ntlmv2-only' option for 'ntlm auth'

with those settings ntlmv1 is blocked except for mschapv2, and it's
nicely visible in samba auth_audit log.

I also tried password change with ntlm_auth (for expired password at
logon via FR) and it works fine too, with added --allow-mschapv2.

I completely missed ntlm_auth option --allow-mschapv2!
Thank You for pointing it out.

If you can let us know just what you changed to get it working, I will
put something on the Samba wiki.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba