L.P.H. van Belle
2019-Aug-30 10:11 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
Hai,
It does not happen often but yes, i also need some help as i cant know
everything also and im new with freeradius.
Im working on a configuration for samba member + freeradius with ntlm_auth.
Why ntlm_auth, because the next one is kerberos and ldap auth to configure..
I want to have some fallback options here and you have to start somewhere.
This is running on my new proxy/gateway server, which also uses ntlm_auth and
that works fine.
Now, basicly this looks simple and should be but im missing something.
so what im i doing, im following http://deployingradius.com/
Followed these steps, that works out fine.
Then we goto :
http://deployingradius.com/documents/configuration/active_directory.html
for smb.conf i use the config i always us, pretty basic + i added (ass noted on
the site) :
ntlm auth = mschapv2-and-ntlmv2-only
And offcourse i joined this server to the domain.
Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
And i just can not get this to work.
What i notice.
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) mschap: Client is using MS-CHAPv1 with NT-Password
(0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=NTDOM
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap: --> --username=obell
(0) mschap: mschap1: d4
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap: --> --challenge=changedChallenge
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap: --> --nt-response=ChangedResponce
(0) mschap: ERROR: Program returned code (1) and output 'The attempted logon
is invalid. This is either due to a bad username or authentication information.
(0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: The attempted logon is invalid. This is
either due to a bad username or authentication information. (0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0) [mschap] = reject
What is not clear here to me is .
I test : radtest -t mschap myusername 'MyPass!' localhost 0
testing123-1
Responce:
(1) mschap: Client is using MS-CHAPv1 with NT-Password
Then im thinking why chap-v1.
Im thinking im sending with : --allow-mschapv2 << mschap V2
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \
--domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \
--nt-response=%{%{mschap:NT-Response}:-00}"
In the end all tests result in :
(4) MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2"
Testing with :
ntlm_auth --allow-mschapv2 --username=myusername --challenge=0x....
--nt-response=0xx...
Returns : The attempted logon is invalid. This is either due to a bad username
or authentication information. (0xc000006d)
So if someone has an idea whats going on/where to look?
Its most probely something simple what i not seeing..
I did add freerad user to winbindd_priv group also.
I also tried this setup:
https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
Which looks a better way to do, but same results.
Im very gratefull on could help me out here of has ideas on best way to debug
this.
Or is someone has a samba 4.9+ working with freeradius and if you could share
you config, i can better look whats off.
Thanks!
Greetz,
Louis
Christian Naumer
2019-Aug-30 10:53 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
We have this running but on a DC (Samba 4.10.7).
we have this line in /etc/raddb/mods-enabled/mschap. Only this line!
DOMAIN is the actual netbio name of the domain.
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
--username=%{mschap:User-Name:-None} --domain=DOMAIN
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
Do you users login in with DOMAIN\user or just user? Ours do both.
Freeradius version on our side is 3.0.13.
Regards
Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba:> Hai,
>
> It does not happen often but yes, i also need some help as i cant know
everything also and im new with freeradius.
>
> Im working on a configuration for samba member + freeradius with ntlm_auth.
> Why ntlm_auth, because the next one is kerberos and ldap auth to
configure..
> I want to have some fallback options here and you have to start somewhere.
>
> This is running on my new proxy/gateway server, which also uses ntlm_auth
and that works fine.
>
> Now, basicly this looks simple and should be but im missing something.
> so what im i doing, im following http://deployingradius.com/
> Followed these steps, that works out fine.
> Then we goto :
http://deployingradius.com/documents/configuration/active_directory.html
>
> for smb.conf i use the config i always us, pretty basic + i added (ass
noted on the site) :
> ntlm auth = mschapv2-and-ntlmv2-only
>
> And offcourse i joined this server to the domain.
>
> Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
> And i just can not get this to work.
>
> What i notice.
>
> (0) Found Auth-Type = mschap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) authenticate {
> (0) mschap: Client is using MS-CHAPv1 with NT-Password
> (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=NTDOM
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
> (0) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (0) mschap: --> --username=obell
> (0) mschap: mschap1: d4
> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (0) mschap: --> --challenge=changedChallenge
> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (0) mschap: --> --nt-response=ChangedResponce
> (0) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
> (0) mschap: External script failed
> (0) mschap: ERROR: External script says: The attempted logon is invalid.
This is either due to a bad username or authentication information. (0xc000006d)
> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> (0) [mschap] = reject
>
> What is not clear here to me is .
>
> I test : radtest -t mschap myusername 'MyPass!' localhost 0
testing123-1
>
> Responce:
> (1) mschap: Client is using MS-CHAPv1 with NT-Password
> Then im thinking why chap-v1.
>
> Im thinking im sending with : --allow-mschapv2 << mschap V2
>
> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \
> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \
> --nt-response=%{%{mschap:NT-Response}:-00}"
>
> In the end all tests result in :
>
> (4) MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2"
>
> Testing with :
> ntlm_auth --allow-mschapv2 --username=myusername --challenge=0x....
--nt-response=0xx...
> Returns : The attempted logon is invalid. This is either due to a bad
username or authentication information. (0xc000006d)
>
> So if someone has an idea whats going on/where to look?
> Its most probely something simple what i not seeing..
>
> I did add freerad user to winbindd_priv group also.
> I also tried this setup:
> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
> Which looks a better way to do, but same results.
>
>
> Im very gratefull on could help me out here of has ideas on best way to
debug this.
> Or is someone has a samba 4.9+ working with freeradius and if you could
share you config, i can better look whats off.
>
> Thanks!
>
>
> Greetz,
>
> Louis
>
>
>
--
Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30 / fax +49-6251-9331-11
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Rowland penny
2019-Aug-30 11:08 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
On 30/08/2019 11:53, Christian Naumer via samba wrote:> We have this running but on a DC (Samba 4.10.7). > > we have this line in /etc/raddb/mods-enabled/mschap. Only this line! > DOMAIN is the actual netbio name of the domain. > > > ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key > --username=%{mschap:User-Name:-None} --domain=DOMAIN > --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" > > > Do you users login in with DOMAIN\user or just user? Ours do both. > > Freeradius version on our side is 3.0.13. > > Regards > > > > Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba: >> Hai, >> >> It does not happen often but yes, i also need some help as i cant know everything also and im new with freeradius. >> >> Im working on a configuration for samba member + freeradius with ntlm_auth. >> Why ntlm_auth, because the next one is kerberos and ldap auth to configure.. >> I want to have some fallback options here and you have to start somewhere. >> >> This is running on my new proxy/gateway server, which also uses ntlm_auth and that works fine. >> >> Now, basicly this looks simple and should be but im missing something. >> so what im i doing, im following http://deployingradius.com/ >> Followed these steps, that works out fine. >> Then we goto : http://deployingradius.com/documents/configuration/active_directory.html >> >> for smb.conf i use the config i always us, pretty basic + i added (ass noted on the site) : >> ntlm auth = mschapv2-and-ntlmv2-only >> >> And offcourse i joined this server to the domain. >> >> Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP >> And i just can not get this to work. >> >> What i notice. >> >> (0) Found Auth-Type = mschap >> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default >> (0) authenticate { >> (0) mschap: Client is using MS-CHAPv1 with NT-Password >> (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: >> (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} >> (0) mschap: --> --username=obell >> (0) mschap: mschap1: d4 >> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} >> (0) mschap: --> --challenge=changedChallenge >> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} >> (0) mschap: --> --nt-response=ChangedResponce >> (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' >> (0) mschap: External script failed >> (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) >> (0) mschap: ERROR: MS-CHAP2-Response is incorrect >> (0) [mschap] = reject >> >> What is not clear here to me is . >> >> I test : radtest -t mschap myusername 'MyPass!' localhost 0 testing123-1 >> >> Responce: >> (1) mschap: Client is using MS-CHAPv1 with NT-Password >> Then im thinking why chap-v1. >> >> Im thinking im sending with : --allow-mschapv2 << mschap V2 >> >> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \ >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \ >> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \ >> --nt-response=%{%{mschap:NT-Response}:-00}" >> >> In the end all tests result in : >> >> (4) MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2" >> >> Testing with : >> ntlm_auth --allow-mschapv2 --username=myusername --challenge=0x.... --nt-response=0xx... >> Returns : The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) >> >> So if someone has an idea whats going on/where to look? >> Its most probely something simple what i not seeing.. >> >> I did add freerad user to winbindd_priv group also. >> I also tried this setup: >> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind >> Which looks a better way to do, but same results. >> >> >> Im very gratefull on could help me out here of has ideas on best way to debug this. >> Or is someone has a samba 4.9+ working with freeradius and if you could share you config, i can better look whats off. >> >> Thanks! >> >> >> Greetz, >> >> Louis >> >> >>Sheesh, it is a bit much when even Samba team members do not read the Samba wiki ;-) https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory Of course, this does raise the problem of what is freeradius going to do when SMBv1 entirely disappears ? Rowland
L.P.H. van Belle
2019-Aug-30 11:09 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
Guys, Christian, Marco, Thank you very much. Marco, you have the best internal wiki :-) Very very usefull. Whooe.. Most is working atm. And as always the solution was so simpel.. I forgot... To .. Add... ntlm auth = mschapv2-and-ntlmv2-only To the DC's smb.conf. :-/ pretty stupid.. But. So far, it looks good. I've tested now. radtest -t mschap username 'passwd' localhost 0 testing radtest -t mschap username at REALM 'passwd' localhost 0 testing These 2 work, thanks for that guys. Now Christian, this failes for me. radtest -t mschap 'NTDOM\username" 'passwd' localhost 0 testing ( MS-CHAP-Error = "\000E=691 R=1 C=58f41f1a946ac94a V=2") So my question here is, are the username at REALM logins also working for you. And are you using in smb.conf : winbind use default domain = yes But guys, sofar, im going very happy towards the weekend.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Christian Naumer via samba > Verzonden: vrijdag 30 augustus 2019 12:53 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4.10.7 + freeradius 3.0.17 > +ntlm_auth - Debian buster > > We have this running but on a DC (Samba 4.10.7). > > we have this line in /etc/raddb/mods-enabled/mschap. Only this line! > DOMAIN is the actual netbio name of the domain. > > > ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key > --username=%{mschap:User-Name:-None} --domain=DOMAIN > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > > > Do you users login in with DOMAIN\user or just user? Ours do both. > > Freeradius version on our side is 3.0.13. > > Regards > > > > Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba: > > Hai, > > > > It does not happen often but yes, i also need some help as > i cant know everything also and im new with freeradius. > > > > Im working on a configuration for samba member + freeradius > with ntlm_auth. > > Why ntlm_auth, because the next one is kerberos and ldap > auth to configure.. > > I want to have some fallback options here and you have to > start somewhere. > > > > This is running on my new proxy/gateway server, which also > uses ntlm_auth and that works fine. > > > > Now, basicly this looks simple and should be but im missing > something. > > so what im i doing, im following http://deployingradius.com/ > > Followed these steps, that works out fine. > > Then we goto : > http://deployingradius.com/documents/configuration/active_dire > ctory.html > > > > for smb.conf i use the config i always us, pretty basic + i > added (ass noted on the site) : > > ntlm auth = mschapv2-and-ntlmv2-only > > > > And offcourse i joined this server to the domain. > > > > Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP > > And i just can not get this to work. > > > > What i notice. > > > > (0) Found Auth-Type = mschap > > (0) # Executing group from file > /etc/freeradius/3.0/sites-enabled/default > > (0) authenticate { > > (0) mschap: Client is using MS-CHAPv1 with NT-Password > > (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 > --request-nt-key > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} > --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} > --nt-response=%{%{mschap:NT-Response}:-00}: > > (0) mschap: EXPAND > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} > > (0) mschap: --> --username=obell > > (0) mschap: mschap1: d4 > > (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} > > (0) mschap: --> --challenge=changedChallenge > > (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} > > (0) mschap: --> --nt-response=ChangedResponce > > (0) mschap: ERROR: Program returned code (1) and output > 'The attempted logon is invalid. This is either due to a bad > username or authentication information. (0xc000006d)' > > (0) mschap: External script failed > > (0) mschap: ERROR: External script says: The attempted > logon is invalid. This is either due to a bad username or > authentication information. (0xc000006d) > > (0) mschap: ERROR: MS-CHAP2-Response is incorrect > > (0) [mschap] = reject > > > > What is not clear here to me is . > > > > I test : radtest -t mschap myusername 'MyPass!' localhost > 0 testing123-1 > > > > Responce: > > (1) mschap: Client is using MS-CHAPv1 with NT-Password > > Then im thinking why chap-v1. > > > > Im thinking im sending with : --allow-mschapv2 << mschap V2 > > > > ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \ > > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \ > > --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \ > > --nt-response=%{%{mschap:NT-Response}:-00}" > > > > In the end all tests result in : > > > > (4) MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2" > > > > Testing with : > > ntlm_auth --allow-mschapv2 --username=myusername > --challenge=0x.... --nt-response=0xx... > > Returns : The attempted logon is invalid. This is either > due to a bad username or authentication information. (0xc000006d) > > > > So if someone has an idea whats going on/where to look? > > Its most probely something simple what i not seeing.. > > > > I did add freerad user to winbindd_priv group also. > > I also tried this setup: > > > https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind > > Which looks a better way to do, but same results. > > > > > > Im very gratefull on could help me out here of has ideas on > best way to debug this. > > Or is someone has a samba 4.9+ working with freeradius and > if you could share you config, i can better look whats off. > > > > Thanks! > > > > > > Greetz, > > > > Louis > > > > > > > > -- > Dr. Christian Naumer > Unit Head Bioprocess Development > B.R.A.I.N Aktiengesellschaft > Darmstaedter Str. 34-36, D-64673 Zwingenberg > e-mail cn at brain-biotech.com, homepage www.brain-biotech.com > fon +49-6251-9331-30 / fax +49-6251-9331-11 > > Sitz der Gesellschaft: Zwingenberg/Bergstrasse > Registergericht AG Darmstadt, HRB 24758 > Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, > Ludger Roedder > Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
L.P.H. van Belle
2019-Aug-30 11:25 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
Hee Rowland.. Tss.. Ow yes, i did read all the wiki's.. And ofcourse the samba was the first i did read. I started here. https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD Then the other Samba freeradius ( you showed), then .. Debian's ubuntu's and more howto's.. Then i got lost, in the maze of incorrect wikis/howtos.. Ive updated the samba wiki. Was: On the Samba 4.6.2 Freeradius server: New: On the Samba 4.6.2 Freeradius server and on all the Samba AD-DC's: And now clear to everyone. ;-)> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: vrijdag 30 augustus 2019 13:09 > Sheesh, it is a bit much when even Samba team members do not read the > Samba wiki ;-) > > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory > > Of course, this does raise the problem of what is freeradius > going to do when SMBv1 entirely disappears ?Well, thats why im now going to configure kerberos auth and ldap. I want the same fallback order as in my squid proxy. Which will result in : kerberos -> ntlm -> ldap ;-) Greetz, Louis
Christian Naumer
2019-Aug-30 11:32 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
Am 30.08.19 um 13:09 schrieb L.P.H. van Belle via samba:> Now Christian, this failes for me. > radtest -t mschap 'NTDOM\username" 'passwd' localhost 0 testing > ( MS-CHAP-Error = "\000E=691 R=1 C=58f41f1a946ac94a V=2") > > So my question here is, are the username at REALM logins also working for you. > And are you using in smb.conf : winbind use default domain = yesusername at REALM does not work. However we do not use this. And as it runs on the DC "winbind use default domain = yes " is the default.> > But guys, sofar, im going very happy towards the weekend.. > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Christian Naumer via samba >> Verzonden: vrijdag 30 augustus 2019 12:53 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Samba 4.10.7 + freeradius 3.0.17 >> +ntlm_auth - Debian buster >> >> We have this running but on a DC (Samba 4.10.7). >> >> we have this line in /etc/raddb/mods-enabled/mschap. Only this line! >> DOMAIN is the actual netbio name of the domain. >> >> >> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key >> --username=%{mschap:User-Name:-None} --domain=DOMAIN >> --challenge=%{mschap:Challenge:-00} >> --nt-response=%{mschap:NT-Response:-00}" >> >> >> Do you users login in with DOMAIN\user or just user? Ours do both. >> >> Freeradius version on our side is 3.0.13. >> >> Regards >> >> >> >> Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba: >>> Hai, >>> >>> It does not happen often but yes, i also need some help as >> i cant know everything also and im new with freeradius. >>> >>> Im working on a configuration for samba member + freeradius >> with ntlm_auth. >>> Why ntlm_auth, because the next one is kerberos and ldap >> auth to configure.. >>> I want to have some fallback options here and you have to >> start somewhere. >>> >>> This is running on my new proxy/gateway server, which also >> uses ntlm_auth and that works fine. >>> >>> Now, basicly this looks simple and should be but im missing >> something. >>> so what im i doing, im following http://deployingradius.com/ >>> Followed these steps, that works out fine. >>> Then we goto : >> http://deployingradius.com/documents/configuration/active_dire >> ctory.html >>> >>> for smb.conf i use the config i always us, pretty basic + i >> added (ass noted on the site) : >>> ntlm auth = mschapv2-and-ntlmv2-only >>> >>> And offcourse i joined this server to the domain. >>> >>> Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP >>> And i just can not get this to work. >>> >>> What i notice. >>> >>> (0) Found Auth-Type = mschap >>> (0) # Executing group from file >> /etc/freeradius/3.0/sites-enabled/default >>> (0) authenticate { >>> (0) mschap: Client is using MS-CHAPv1 with NT-Password >>> (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 >> --request-nt-key >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} >> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} >> --nt-response=%{%{mschap:NT-Response}:-00}: >>> (0) mschap: EXPAND >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} >>> (0) mschap: --> --username=obell >>> (0) mschap: mschap1: d4 >>> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} >>> (0) mschap: --> --challenge=changedChallenge >>> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} >>> (0) mschap: --> --nt-response=ChangedResponce >>> (0) mschap: ERROR: Program returned code (1) and output >> 'The attempted logon is invalid. This is either due to a bad >> username or authentication information. (0xc000006d)' >>> (0) mschap: External script failed >>> (0) mschap: ERROR: External script says: The attempted >> logon is invalid. This is either due to a bad username or >> authentication information. (0xc000006d) >>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect >>> (0) [mschap] = reject >>> >>> What is not clear here to me is . >>> >>> I test : radtest -t mschap myusername 'MyPass!' localhost >> 0 testing123-1 >>> >>> Responce: >>> (1) mschap: Client is using MS-CHAPv1 with NT-Password >>> Then im thinking why chap-v1. >>> >>> Im thinking im sending with : --allow-mschapv2 << mschap V2 >>> >>> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \ >>> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \ >>> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \ >>> --nt-response=%{%{mschap:NT-Response}:-00}" >>> >>> In the end all tests result in : >>> >>> (4) MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2" >>> >>> Testing with : >>> ntlm_auth --allow-mschapv2 --username=myusername >> --challenge=0x.... --nt-response=0xx... >>> Returns : The attempted logon is invalid. This is either >> due to a bad username or authentication information. (0xc000006d) >>> >>> So if someone has an idea whats going on/where to look? >>> Its most probely something simple what i not seeing.. >>> >>> I did add freerad user to winbindd_priv group also. >>> I also tried this setup: >>> >> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind >>> Which looks a better way to do, but same results. >>> >>> >>> Im very gratefull on could help me out here of has ideas on >> best way to debug this. >>> Or is someone has a samba 4.9+ working with freeradius and >> if you could share you config, i can better look whats off. >>> >>> Thanks! >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >> >> -- >> Dr. Christian Naumer >> Unit Head Bioprocess Development >> B.R.A.I.N Aktiengesellschaft >> Darmstaedter Str. 34-36, D-64673 Zwingenberg >> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com >> fon +49-6251-9331-30 / fax +49-6251-9331-11 >> >> Sitz der Gesellschaft: Zwingenberg/Bergstrasse >> Registergericht AG Darmstadt, HRB 24758 >> Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, >> Ludger Roedder >> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >-- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
L.P.H. van Belle
2019-Aug-30 11:56 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
Ok, so resume of the working info you guys gave me.
If running freeradius on AD-DC.
where : winbind use default domain = yes is not working on AD-DC, its always no.
See output of wbinfo -u
You can login with : username or NTDOM\username.
test : radtest -t mschap 'NTDOM\username' 'password' localhost 0
testing123
test : radtest -t mschap 'username' 'password' localhost 0
testing123
If running freeradius on AD-Member
where : winbind use default domain = yes is working.
See output of wbinfo -u
You can login with : username or username at REALM
test : radtest -t mschap 'username' 'password' localhost 0
testing123
test : radtest -t mschap 'username at REALM' 'password'
localhost 0 testing123
Do note on the REALM.
I notice, and maybe a few here can verify this.
If realm is set as :
[libdefaults]
default_realm = internal.domain.tld
Trying to login with : username at INTERNAL.DOMAIN.TLD does not work.
You must match CAPS/non-caps in REALM.
And : ntlm auth = mschapv2-and-ntlmv2-only must be set on all servers where its
needed.
The member and ALL the AD-DC's.
Respect this and then "it just works" :-)
So far,
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Christian Naumer via samba
> Verzonden: vrijdag 30 augustus 2019 13:32
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.10.7 + freeradius 3.0.17
> +ntlm_auth - Debian buster
>
> Am 30.08.19 um 13:09 schrieb L.P.H. van Belle via samba:
>
> > Now Christian, this failes for me.
> > radtest -t mschap 'NTDOM\username" 'passwd' localhost
0 testing
> > ( MS-CHAP-Error = "\000E=691 R=1 C=58f41f1a946ac94a V=2")
> >
> > So my question here is, are the username at REALM logins also
> working for you.
> > And are you using in smb.conf : winbind use default domain = yes
>
> username at REALM does not work. However we do not use this.
> And as it runs on the DC "winbind use default domain = yes "
> is the default.
>
>
>
>
> >
> > But guys, sofar, im going very happy towards the weekend..
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Christian Naumer via samba
> >> Verzonden: vrijdag 30 augustus 2019 12:53
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Samba 4.10.7 + freeradius 3.0.17
> >> +ntlm_auth - Debian buster
> >>
> >> We have this running but on a DC (Samba 4.10.7).
> >>
> >> we have this line in /etc/raddb/mods-enabled/mschap. Only
> this line!
> >> DOMAIN is the actual netbio name of the domain.
> >>
> >>
> >> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2
--request-nt-key
> >> --username=%{mschap:User-Name:-None} --domain=DOMAIN
> >> --challenge=%{mschap:Challenge:-00}
> >> --nt-response=%{mschap:NT-Response:-00}"
> >>
> >>
> >> Do you users login in with DOMAIN\user or just user? Ours do both.
> >>
> >> Freeradius version on our side is 3.0.13.
> >>
> >> Regards
> >>
> >>
> >>
> >> Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba:
> >>> Hai,
> >>>
> >>> It does not happen often but yes, i also need some help as
> >> i cant know everything also and im new with freeradius.
> >>>
> >>> Im working on a configuration for samba member + freeradius
> >> with ntlm_auth.
> >>> Why ntlm_auth, because the next one is kerberos and ldap
> >> auth to configure..
> >>> I want to have some fallback options here and you have to
> >> start somewhere.
> >>>
> >>> This is running on my new proxy/gateway server, which also
> >> uses ntlm_auth and that works fine.
> >>>
> >>> Now, basicly this looks simple and should be but im missing
> >> something.
> >>> so what im i doing, im following http://deployingradius.com/
> >>> Followed these steps, that works out fine.
> >>> Then we goto :
> >> http://deployingradius.com/documents/configuration/active_dire
> >> ctory.html
> >>>
> >>> for smb.conf i use the config i always us, pretty basic + i
> >> added (ass noted on the site) :
> >>> ntlm auth = mschapv2-and-ntlmv2-only
> >>>
> >>> And offcourse i joined this server to the domain.
> >>>
> >>> Now im at : Configuring FreeRADIUS to use ntlm_auth for
MS-CHAP
> >>> And i just can not get this to work.
> >>>
> >>> What i notice.
> >>>
> >>> (0) Found Auth-Type = mschap
> >>> (0) # Executing group from file
> >> /etc/freeradius/3.0/sites-enabled/default
> >>> (0) authenticate {
> >>> (0) mschap: Client is using MS-CHAPv1 with NT-Password
> >>> (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2
> >> --request-nt-key
> >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> >> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00}
> >> --nt-response=%{%{mschap:NT-Response}:-00}:
> >>> (0) mschap: EXPAND
> >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> >>> (0) mschap: --> --username=obell
> >>> (0) mschap: mschap1: d4
> >>> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> >>> (0) mschap: --> --challenge=changedChallenge
> >>> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> >>> (0) mschap: --> --nt-response=ChangedResponce
> >>> (0) mschap: ERROR: Program returned code (1) and output
> >> 'The attempted logon is invalid. This is either due to a bad
> >> username or authentication information. (0xc000006d)'
> >>> (0) mschap: External script failed
> >>> (0) mschap: ERROR: External script says: The attempted
> >> logon is invalid. This is either due to a bad username or
> >> authentication information. (0xc000006d)
> >>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> >>> (0) [mschap] = reject
> >>>
> >>> What is not clear here to me is .
> >>>
> >>> I test : radtest -t mschap myusername 'MyPass!'
localhost
> >> 0 testing123-1
> >>>
> >>> Responce:
> >>> (1) mschap: Client is using MS-CHAPv1 with NT-Password
> >>> Then im thinking why chap-v1.
> >>>
> >>> Im thinking im sending with : --allow-mschapv2 <<
mschap V2
> >>>
> >>> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2
> --request-nt-key \
> >>> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \
> >>> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \
> >>> --nt-response=%{%{mschap:NT-Response}:-00}"
> >>>
> >>> In the end all tests result in :
> >>>
> >>> (4) MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0
V=2"
> >>>
> >>> Testing with :
> >>> ntlm_auth --allow-mschapv2 --username=myusername
> >> --challenge=0x.... --nt-response=0xx...
> >>> Returns : The attempted logon is invalid. This is either
> >> due to a bad username or authentication information. (0xc000006d)
> >>>
> >>> So if someone has an idea whats going on/where to look?
> >>> Its most probely something simple what i not seeing..
> >>>
> >>> I did add freerad user to winbindd_priv group also.
> >>> I also tried this setup:
> >>>
> >>
> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
> >>> Which looks a better way to do, but same results.
> >>>
> >>>
> >>> Im very gratefull on could help me out here of has ideas on
> >> best way to debug this.
> >>> Or is someone has a samba 4.9+ working with freeradius and
> >> if you could share you config, i can better look whats off.
> >>>
> >>> Thanks!
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>
> >> --
> >> Dr. Christian Naumer
> >> Unit Head Bioprocess Development
> >> B.R.A.I.N Aktiengesellschaft
> >> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> >> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> >> fon +49-6251-9331-30 / fax +49-6251-9331-11
> >>
> >> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> >> Registergericht AG Darmstadt, HRB 24758
> >> Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
> >> Ludger Roedder
> >> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
> >
>
> --
> Dr. Christian Naumer
> Unit Head Bioprocess Development
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> fon +49-6251-9331-30 / fax +49-6251-9331-11
>
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
> Ludger Roedder
> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>