Web lists-archives.com

Re: [Samba] ODP: Re: freeradius + NTLM + samba AD 4.5.x




I see it's more about freeradius than samba at this point, so I'm not very comfortable writing on samba list about this topic (if it's inapropriate, someone please tell me), but to share my experience:

passchange was tested on windows 7/10 joined to the samba AD domain since that's in my case the obvious mschpav2 client. I had simply tried logging as users with "password has to be changed on the next logon". I tried it with wireless (eap-peap) and 802.1x for wired (eap-peap).

Enabling password change with mschpav2 for freeradius requires also setting in /mods-available/eap in mschapv2 section:

 mschapv2 {
               send_error = yes

I tested it strictly with windows computers, so I believe it's really dependent on what is trying to authenticate. For windows (7 and above tested) You have to also set via GPO or manually 802.1x authentication settings, one of them is to allow for extra windows during logon process. If it is setup, than You will get, as a user with expired password, prompt to change Your password (typical: old password - new password - retype new password). And it works in this setup (samba 4.7.6 DC, freeradius with 4.6.2 samba as domain member, with setting on samba DC ntlm auth = mschpav2-and-ntlmv2-only).

Basically, from what i understand, there are certain errors that can happen during mschapv2 authorization, one of them is "password is correct but expired" and with proper settings it's possible to allow connecting client to change password. I never bothered looking up, what else, except for windows clients can benefit from the password change, so I can't help You more than this.



W dniu 28.03.2018 o 08:18, Dr. Peer-Joachim Koch via samba pisze:
Hi,

thank you very much for testing everything out. Great work!

One question: passchange - which application are working with passchange on radius ? In the moment every user with an expired password is NOT able to use services using radius
for authentication (WLAN,VPN). Is there any documentation available ?

Bye, Peer

On 27.03.2018 22:40, Kacper Wirski via samba wrote:
Hello,

I can definately confirm that it's working.

My basic setup is:

1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7

2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x

smb.conf on the DC is pretty basic, most important is obviously in [globall]:

        ntlm auth = mschapv2-and-ntlmv2-only

On server with freeradius + samba 4.6.2:

machine is added to AD using samba with net ads join.

Most important configuration to make mschapv2 only with ntlmv1 overall disabled (except for mschapv2) is setting in freeradius in /mods-available/mschap:

mschap {

.....

ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2* --request-nt-key --username=%{mschap:User-Name} --domain=WINDOWSDOMAIN --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

OR (if your Freeradius supports it)

winbind_username = "%{%{mschap:User-Name}:-00}"
winbind_domain = "WINDOWSDOMAIN"

The former works just fine, the latter requires freeradius to be built with winbind auth, for example for centos i had to rebuild rpm and add to ./configure path to winbind libraries.

That's all that's needed to change from the "standard", well documented  freeradius/AD integration for the integration.

If there are going to be password changes with freeradius ("your password has expired" - type - scenarios) You should probably also configure in /mods-available/mschap additionaly:

passchange {
                ntlm_auth = "/path/to/ntlm_auth --helper-protocol=ntlm-change-password-1 *--allow-mschapv2*"
                ntlm_auth_username = "username: %{mschap:User-Name}"
                ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN"

I'm saying "should probably configure" because  with the settings as above it works just fine, so even it's unnecessary, it doesn't break anything, and unfortunately I was unable to test if it works (I doubt it) without this option while denying ntlmv1 overall on ad dc.

If everything works as intented, in the AD DC audit log You will see something like this: {"timestamp": "some-date0", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "ipv4:xxx.xxx.xxx.xxx", "remoteAddress": "ipv4:xxx.xxx.xxx.xxx:58046", "serviceDescription": "SamLogon", "authDescription": "network", "clientDomain": "WINDOWSDOMAIN", "clientAccount": "some-user", "workstation": "\\\\SOME-HOST", "becameAccount": "some-user", "becameDomain": "WINDOWSDOMAIN", "becameSid": "SOME-SID", "mappedAccount": "some-user", "mappedDomain": "WINDOWSDOMAIN", "netlogonComputer": "SOME-HOST", "netlogonTrustAccount": "SOME-HOST$", "netlogonNegotiateFlags": "0x610FFFFF", "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": "somesid, *"passwordType": "MSCHAPv2"*}}

Without "--allow-mschapv2" You would see "passwordType":"NTLMv1".

Also I have no idea when ntlm_auth --allow-mschapv2 option was added?

W dniu 27.03.2018 o 10:06, Rowland Penny via samba pisze:
On Tue, 27 Mar 2018 09:36:42 +0200
"k.wirski via samba" <samba@xxxxxxxxxxxxxxx> wrote:

ok, tested it, and it works.

so to summarize:
on samba ad 4.7.x  in smb.conf "ntlm auth" is set to
"mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in
mods-available/mschap you have to add to ntlm_auth --allow-mschapv2
to the whole string OR just use winbind method, which sets correct
flag without explicitly adding it.
Not sure it will work with 4.6 as it doesn't have the required
'mschapv2-and-ntlmv2-only' option for 'ntlm auth'

with those settings ntlmv1 is blocked except for mschapv2, and it's
nicely visible in samba auth_audit log.

I also tried password change with ntlm_auth (for expired password at
logon via FR) and it works fine too, with added --allow-mschapv2.

I completely missed ntlm_auth option --allow-mschapv2!
Thank You for pointing it out.

If you can let us know just what you changed to get it working, I will
put something on the Samba wiki.

Rowland






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba