On Tue, 2015-01-20 at 13:33 +1300, Andrew Bartlett
wrote:> On Mon, 2015-01-19 at 10:59 +0330, Maryam Lahijani wrote:
> > Dear All
> >
> > We have samba4 in our network as an domain controller.we have cisco
ISE1.3
> > and our cisco team want to run IEEE802.1x in our network.The problem
is
> > that ise use ms-rpc for sending MS-CHAP V2 to samba and it revived RPC
> > login failure from samba.ISE 1.2 use kerberos for sending MS-CHAP V2
and
> > its ok but we have problem with ISE 1.3.any advise to solve this
problem?
>
> Can you give much more detail on exactly what fails, and how it fails?
> What is in the logs, etc? Can you get me a network trace (and a
> description of what it contains, packet by failing packet) to clarify
> what is different between this and a test Microsoft AD domain?
Just some initial feedback, as I think you may be a little confused by
the protocols involved. There isn't a way to validate an MS-CHAPv2
response over Kerberos, the relevant protocol is the SamLogon family of
functions over the NETLOGON DCE/RPC pipe which Samba has pretty
comprehensive support for. So assuming it uses the normal calls here
(and I'll check the logs you sent privately), this is all expected to
work. Do make sure to send me the matching level 10 Samba logs as
well.
>From the logs you provided me privately, it gives STATUS_UNSUCCESSFUL,
and the network trace indicates a NDR fault. This implies that the
client is sending a form of SamLogonEx that we can't decode. Sadly this
part of the capture is encrypted. Sadly I can't remember the smb.conf
magic setting required to dump the unencrypted packets out :-(
The other thing I note is that the username in your logs is
(null)\user at realm.com. The (null)\ bit is very, very weird.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba