thr3ads.net - samba - [Samba] Radius auth problem after DC update [Oct 2018]

If this information is useful, please help other people find it:
Share via:

Jiří František

2018-Oct-19 13:00 UTC

[Samba] Radius auth problem after DC update

Hello list,
We were using two DC with 4.3.4 version of samba. Radius authentication
wont work after upgrade one of DC to version 4.6.7. Authentication is
working If winbind on radius server connects to DC with version 4.3.4.
I tried install new radius server following tutorial on
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
with
same result. Radius is working on DC with older version of samba.
I think that the problem will be somewhere in winbind on radius server.
If I want to test authentication with wbinfo I get following output:

wbinfo -a user%pass
plaintext password authentication failed
Could not authenticate user user%pass with plaintext password
challenge/response password authentication succeeded.

My smb.conf on radius server (samba 4.7.1, radiusd 3.0.13):
[global]
       security = ADS
       workgroup = DOMAIN
       realm = DOMAIN.LAN

       log file = /var/log/samba/%m.log
       log level = 1
       ntlm auth = mschapv2-and-ntlmv2-only

       idmap config * : backend = tdb
       idmap config * : range = 3000-7999
       idmap config DOMAIN:backend = ad
       idmap config DOMAIN:schema_mode = rfc2307
       idmap config DOMAIN:range = 10000-999999
       idmap config DOMAIN:unix_nss_info = no
       template shell = /bin/bash
       template homedir = /home/%U

Why I have problem with radius authentication of users with newer version
of samba on DC?
Any reply will be appreciate.
Thank you

Rowland Penny

2018-Oct-19 13:26 UTC

head link

[Samba] Radius auth problem after DC update

On Fri, 19 Oct 2018 15:00:18 +0200
Jiří František via samba <samba at lists.samba.org> wrote:
> Hello list,
> We were using two DC with 4.3.4 version of samba. Radius
> authentication wont work after upgrade one of DC to version 4.6.7.
> Authentication is working If winbind on radius server connects to DC
> with version 4.3.4. I tried install new radius server following
> tutorial on
>
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
> with same result. Radius is working on DC with older version of samba.
> I think that the problem will be somewhere in winbind on radius
> server. If I want to test authentication with wbinfo I get following
> output:
> 
> wbinfo -a user%pass
> plaintext password authentication failed
> Could not authenticate user user%pass with plaintext password
> challenge/response password authentication succeeded.
> 
> My smb.conf on radius server (samba 4.7.1, radiusd 3.0.13):
> [global]
>        security = ADS
>        workgroup = DOMAIN
>        realm = DOMAIN.LAN
> 
>        log file = /var/log/samba/%m.log
>        log level = 1
>        ntlm auth = mschapv2-and-ntlmv2-only
> 
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
>        idmap config DOMAIN:backend = ad
>        idmap config DOMAIN:schema_mode = rfc2307
>        idmap config DOMAIN:range = 10000-999999
>        idmap config DOMAIN:unix_nss_info = no
>        template shell = /bin/bash
>        template homedir = /home/%U
> 
> Why I have problem with radius authentication of users with newer
> version of samba on DC?
> Any reply will be appreciate.
> Thank you
It seems you have to add the 'ntlm auth' line to the DC as well.

Rowland

Micha Ballmann

2018-Oct-19 13:40 UTC

head link

[Samba] Radius auth problem after DC update

Hi,

on your DC set "ntlm auth = yes" for testing. I dont know when, but
ntlm
auth is no more enabled by default! In the past i got the same issue 
with my radius server.

for more, show here ("ntlm auth (G)"):

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

best regards

micha


Am 19.10.2018 um 15:00 schrieb Jiří František via samba:> Hello list,
> We were using two DC with 4.3.4 version of samba. Radius authentication
> wont work after upgrade one of DC to version 4.6.7. Authentication is
> working If winbind on radius server connects to DC with version 4.3.4.
> I tried install new radius server following tutorial on
>
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
> with
> same result. Radius is working on DC with older version of samba.
> I think that the problem will be somewhere in winbind on radius server.
> If I want to test authentication with wbinfo I get following output:
>
> wbinfo -a user%pass
> plaintext password authentication failed
> Could not authenticate user user%pass with plaintext password
> challenge/response password authentication succeeded.
>
> My smb.conf on radius server (samba 4.7.1, radiusd 3.0.13):
> [global]
>         security = ADS
>         workgroup = DOMAIN
>         realm = DOMAIN.LAN
>
>         log file = /var/log/samba/%m.log
>         log level = 1
>         ntlm auth = mschapv2-and-ntlmv2-only
>
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>         idmap config DOMAIN:backend = ad
>         idmap config DOMAIN:schema_mode = rfc2307
>         idmap config DOMAIN:range = 10000-999999
>         idmap config DOMAIN:unix_nss_info = no
>         template shell = /bin/bash
>         template homedir = /home/%U
>
> Why I have problem with radius authentication of users with newer version
> of samba on DC?
> Any reply will be appreciate.
> Thank you

Possibly Parallel Threads

Search for more reasonably related threads

samba - Oct 2018 - Radius auth problem after DC update

[Samba] Radius auth problem after DC update

[Samba] Radius auth problem after DC update

[Samba] Radius auth problem after DC update

Possibly Parallel Threads