Hai, Since im still having problems reading the man smb.conf about the NTLM settings, im asking here. How do i allow NTLM auth for my proxy. I have been playing around with : client NTLMv2 auth raw NTLMv2 auth ntlm auth lanman auth i’ve added the proxy user to the winbind_privileged group. and did set the needed rights. chgrp winbindd_priv /var/lib/samba/winbindd_privileged/ adduser proxy winbindd_priv Im trying to keep as much as possible to the default settings. Im testing the following. ntlm_auth --request-nt-key --username=someTestUser ntlm_auth --request-lm-key --username=someTestUser ntlm_auth --username=someTestUser --ntlmv2 ntlm_auth --username=someTestUser –lanman ntlm_auth --username=someTestUser --krb5auth=someTestUser ntlm_auth --diagnostics --username=someTestUser wbinfo -a someTestUser wbinfo --krb5auth=someTestUser wbinfo --krb5auth='NTDOM\someTestUser' wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD’ Situation . Samba AD DC. 4.5.3 Config : ( left out the shares, the question is about auth ) [global] workgroup = NTDOM realm = INTERNAL.DOMAIN.TLD netbios name = DC1 server role = active directory domain controller server services = -dns interfaces = 192.168.0.1 127.0.0.1 bind interfaces only = yes time server = yes idmap_ldb:use rfc2307 = yes winbind nss info = rfc2307 winbind expand groups = 4 template shell = /bin/bash template homedir = /home/users/%U tls enabled = yes My client setup. Samba member 4.5.5 ( and testing 4.5.3 also ) [global] workgroup = NTDOM security = ads realm = INTERNAL.DOMAIN.TLD netbios name = PROXY2 preferred master = no domain master = no host msdfs = no interfaces = 192.168.0.2 127.0.0.1 bind interfaces only = yes dns proxy = yes tls enabled = yes idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config NTDOM : backend = ad idmap config NTDOM : schema_mode = rfc2307 idmap config NTDOM : range = 10000-3999999 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = yes winbind nss info = rfc2307 winbind trusted domains only = no winbind offline logon = yes winbind expand groups = 4 Now im asking, where do we set what to make this work. When i set in my proxy smb.conf lanman auth = yes raw NTLMv2 auth = yes ntlm auth = yes im getting the same results as with above but =no and im testing: wbinfo -a "NTDOM\someTestUser" Enter NTDOM\someTestUser's password: plaintext password authentication succeeded Enter NTDOM\someTestUser's password: challenge/response password authentication failed wbcAuthenticateUserEx(NTDOM\someTestUser): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) error message was: Wrong Password Could not authenticate user NTDOM\someTestUser with challenge/response And same result for : wbinfo -a someTestUser at ROTTERDAM.BAZUIN.NL If a default setting is like : client plaintext auth = no why do i get : plaintext password authentication succeeded What is missing in my setup? Or do i have to setup a less secure AD DC to make this work? Im still having a hard time to figure out if a setting is ADDC or member only and man smb.conf isnt telling me what i need to know. so i dont get it. :-(( Help :-)) Any assistance here is very welkom. ;-) Greetz, Louis
1) the user you are running wbinfo with, has access to the winbind_privileged folder? 2) does running "wbinfo --ntlmv2 -a 'DOMAIN\sometestuser' " changes the response you have? Em 15/02/2017 12:24, L.P.H. van Belle via samba escreveu:> Hai, > > > > Since im still having problems reading the man smb.conf about the NTLM settings, im asking here. > > How do i allow NTLM auth for my proxy. > > > > I have been playing around with : > > > > client NTLMv2 auth > > raw NTLMv2 auth > > ntlm auth > > lanman auth > > > > i’ve added the proxy user to the winbind_privileged group. > > and did set the needed rights. > > chgrp winbindd_priv /var/lib/samba/winbindd_privileged/ > > adduser proxy winbindd_priv > > > > Im trying to keep as much as possible to the default settings. > > Im testing the following. > > > > ntlm_auth --request-nt-key --username=someTestUser > > ntlm_auth --request-lm-key --username=someTestUser > > ntlm_auth --username=someTestUser --ntlmv2 > > ntlm_auth --username=someTestUser –lanman > > ntlm_auth --username=someTestUser --krb5auth=someTestUser > > ntlm_auth --diagnostics --username=someTestUser > > wbinfo -a someTestUser > > wbinfo --krb5auth=someTestUser > > wbinfo --krb5auth='NTDOM\someTestUser' > > wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD’ > > > > > > Situation . > > Samba AD DC. 4.5.3 > > Config : ( left out the shares, the question is about auth ) > > [global] > > workgroup = NTDOM > > realm = INTERNAL.DOMAIN.TLD > > netbios name = DC1 > > server role = active directory domain controller > > server services = -dns > > interfaces = 192.168.0.1 127.0.0.1 > > bind interfaces only = yes > > time server = yes > > idmap_ldb:use rfc2307 = yes > > winbind nss info = rfc2307 > > winbind expand groups = 4 > > template shell = /bin/bash > > template homedir = /home/users/%U > > tls enabled = yes > > > > My client setup. > > Samba member 4.5.5 ( and testing 4.5.3 also ) > > [global] > > workgroup = NTDOM > > security = ads > > realm = INTERNAL.DOMAIN.TLD > > netbios name = PROXY2 > > preferred master = no > > domain master = no > > host msdfs = no > > interfaces = 192.168.0.2 127.0.0.1 > > bind interfaces only = yes > > dns proxy = yes > > tls enabled = yes > > idmap config *:backend = tdb > > idmap config *:range = 2000-9999 > > idmap config NTDOM : backend = ad > > idmap config NTDOM : schema_mode = rfc2307 > > idmap config NTDOM : range = 10000-3999999 > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > winbind refresh tickets = yes > > winbind nss info = rfc2307 > > winbind trusted domains only = no > > winbind offline logon = yes > > winbind expand groups = 4 > > > > > > Now im asking, where do we set what to make this work. > > > > When i set in my proxy smb.conf > > lanman auth = yes > > raw NTLMv2 auth = yes > > ntlm auth = yes > > im getting the same results as with above but =no > > > > and im testing: > > > > wbinfo -a "NTDOM\someTestUser" > > Enter NTDOM\someTestUser's password: > > plaintext password authentication succeeded > > Enter NTDOM\someTestUser's password: > > challenge/response password authentication failed > > wbcAuthenticateUserEx(NTDOM\someTestUser): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) > > error message was: Wrong Password > > Could not authenticate user NTDOM\someTestUser with challenge/response > > And same result for : wbinfo -a someTestUser at ROTTERDAM.BAZUIN.NL > > > > If a default setting is like : client plaintext auth = no > > why do i get : plaintext password authentication succeeded > > > > What is missing in my setup? Or do i have to setup a less secure AD DC to make this work? > > Im still having a hard time to figure out if a setting is ADDC or member only and man smb.conf isnt telling me what i need to know. > > > > so i dont get it. :-(( Help :-)) > > > > Any assistance here is very welkom. ;-) > > > > > > Greetz, > > > > Louis > > > > >-- Vinicius Silva SOC BRA: + 55 51 2117.1000 | 55 11 5521.2021 USA: + 1 888 259.5801 vbs at e-trust.com.br skype: vinicius.bones.silva Smiley face www.e-trust.com.br <http://www.e-trust.com.br/> Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões ou informações contidas nesta mensagem não necessariamente refletem a posição oficial da E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br. This message may contain privileged and confidential information for the use of the intended recipients only. If you are not an intended recipient then you should not disseminate, copy, or take any action based on its contents. If you have received this message in error then please notify E-TRUST by sending an e-mail message to suporte at e-trust.com.br immediately. Views and opinions expressed in this message do not necessarily reflect the position of E-TRUST. If this message is digitally signed, its authenticity can be confirmed by E-TRUST Private Certificate Authority, available at www.e-trust.com.br.
A1) yes, i test as root. A2) wbinfo --ntlmv2 -a "someTestUser" wbinfo --ntlmv2 -a "NTDOM\someTestUser" wbinfo --ntlmv2 -a "someTestUser at INTERNAL.DOMAIN.TLD" These all work with default settings. raw NTLMv2 auth = no ntlm auth = no lanman auth = no Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Vinicius Bones > Silva via samba > Verzonden: woensdag 15 februari 2017 15:48 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] question about ntlm > > 1) the user you are running wbinfo with, has access to the > winbind_privileged folder? > 2) does running "wbinfo --ntlmv2 -a 'DOMAIN\sometestuser' " changes the > response you have? > > Em 15/02/2017 12:24, L.P.H. van Belle via samba escreveu: > > Hai, > > > > > > > > Since im still having problems reading the man smb.conf about the NTLM > settings, im asking here. > > > > How do i allow NTLM auth for my proxy. > > > > > > > > I have been playing around with : > > > > > > > > client NTLMv2 auth > > > > raw NTLMv2 auth > > > > ntlm auth > > > > lanman auth > > > > > > > > i?ve added the proxy user to the winbind_privileged group. > > > > and did set the needed rights. > > > > chgrp winbindd_priv /var/lib/samba/winbindd_privileged/ > > > > adduser proxy winbindd_priv > > > > > > > > Im trying to keep as much as possible to the default settings. > > > > Im testing the following. > > > > > > > > ntlm_auth --request-nt-key --username=someTestUser > > > > ntlm_auth --request-lm-key --username=someTestUser > > > > ntlm_auth --username=someTestUser --ntlmv2 > > > > ntlm_auth --username=someTestUser ?lanman > > > > ntlm_auth --username=someTestUser --krb5auth=someTestUser > > > > ntlm_auth --diagnostics --username=someTestUser > > > > wbinfo -a someTestUser > > > > wbinfo --krb5auth=someTestUser > > > > wbinfo --krb5auth='NTDOM\someTestUser' > > > > wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD? > > > > > > > > > > > > Situation . > > > > Samba AD DC. 4.5.3 > > > > Config : ( left out the shares, the question is about auth ) > > > > [global] > > > > workgroup = NTDOM > > > > realm = INTERNAL.DOMAIN.TLD > > > > netbios name = DC1 > > > > server role = active directory domain controller > > > > server services = -dns > > > > interfaces = 192.168.0.1 127.0.0.1 > > > > bind interfaces only = yes > > > > time server = yes > > > > idmap_ldb:use rfc2307 = yes > > > > winbind nss info = rfc2307 > > > > winbind expand groups = 4 > > > > template shell = /bin/bash > > > > template homedir = /home/users/%U > > > > tls enabled = yes > > > > > > > > My client setup. > > > > Samba member 4.5.5 ( and testing 4.5.3 also ) > > > > [global] > > > > workgroup = NTDOM > > > > security = ads > > > > realm = INTERNAL.DOMAIN.TLD > > > > netbios name = PROXY2 > > > > preferred master = no > > > > domain master = no > > > > host msdfs = no > > > > interfaces = 192.168.0.2 127.0.0.1 > > > > bind interfaces only = yes > > > > dns proxy = yes > > > > tls enabled = yes > > > > idmap config *:backend = tdb > > > > idmap config *:range = 2000-9999 > > > > idmap config NTDOM : backend = ad > > > > idmap config NTDOM : schema_mode = rfc2307 > > > > idmap config NTDOM : range = 10000-3999999 > > > > dedicated keytab file = /etc/krb5.keytab > > > > kerberos method = secrets and keytab > > > > winbind refresh tickets = yes > > > > winbind nss info = rfc2307 > > > > winbind trusted domains only = no > > > > winbind offline logon = yes > > > > winbind expand groups = 4 > > > > > > > > > > > > Now im asking, where do we set what to make this work. > > > > > > > > When i set in my proxy smb.conf > > > > lanman auth = yes > > > > raw NTLMv2 auth = yes > > > > ntlm auth = yes > > > > im getting the same results as with above but =no > > > > > > > > and im testing: > > > > > > > > wbinfo -a "NTDOM\someTestUser" > > > > Enter NTDOM\someTestUser's password: > > > > plaintext password authentication succeeded > > > > Enter NTDOM\someTestUser's password: > > > > challenge/response password authentication failed > > > > wbcAuthenticateUserEx(NTDOM\someTestUser): error code was > NT_STATUS_WRONG_PASSWORD (0xc000006a) > > > > error message was: Wrong Password > > > > Could not authenticate user NTDOM\someTestUser with challenge/response > > > > And same result for : wbinfo -a someTestUser at ROTTERDAM.BAZUIN.NL > > > > > > > > If a default setting is like : client plaintext auth = no > > > > why do i get : plaintext password authentication succeeded > > > > > > > > What is missing in my setup? Or do i have to setup a less secure AD DC > to make this work? > > > > Im still having a hard time to figure out if a setting is ADDC or member > only and man smb.conf isnt telling me what i need to know. > > > > > > > > so i dont get it. :-(( Help :-)) > > > > > > > > Any assistance here is very welkom. ;-) > > > > > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > -- > > > Vinicius Silva > SOC > > > BRA: + 55 51 2117.1000 | 55 11 5521.2021 > USA: + 1 888 259.5801 > vbs at e-trust.com.br > skype: vinicius.bones.silva > > > > > > > > > > Smiley face > > www.e-trust.com.br <http://www.e-trust.com.br/> > > > Esta mensagem pode conter informações confidenciais ou privilegiadas. Se > você recebeu esta > mensagem por engano, você não deve usar, copiar, divulgar ou tomar > qualquer atitude com > base nestas informações. Solicitamos que você apague a mensagem > imediatamente e avise a > E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, > conclusões ou > informações contidas nesta mensagem não necessariamente refletem a posição > oficial da > E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode > ser confirmada > pela Autoridade Certificadora Privada E-TRUST, disponível em www.e- > trust.com.br. > > This message may contain privileged and confidential information for the > use of the > intended recipients only. If you are not an intended recipient then you > should not > disseminate, copy, or take any action based on its contents. If you have > received this > message in error then please notify E-TRUST by sending an e-mail message > to > suporte at e-trust.com.br immediately. Views and opinions expressed in this > message do not > necessarily reflect the position of E-TRUST. If this message is digitally > signed, its > authenticity can be confirmed by E-TRUST Private Certificate Authority, > available at > www.e-trust.com.br. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba