On Tue, 2023-04-04 at 09:37 +0200, Kees van Vloten
wrote:> Op 04-04-2023 om 00:32 schreef Andrew Bartlett:
>
> >
> > On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote:
> >
> > > Unfortunately it's still erroring out:
> > > (7) mschap: Creating challenge hash with username:
host/SL-6S4BBS3.MYDOMAIN.co.uk
> > > (7) mschap: Client is using MS-CHAPv2
> >
> > Is this set as a UPN (with the realm appended) on the user?
> >
> In my environment (where samba + freeradius + wifi connect with
> machine account works), there is no UPN set on the machine account,
> just a set of SPNs:
> servicePrincipalName: HOST/myhost.example.com
> servicePrincipalName: RestrictedKrbHost/myhost.example.com
> servicePrincipalName: HOST/MYHOST
> servicePrincipalName: RestrictedKrbHost/BARTOK
> servicePrincipalName: WSMAN/myhost.example.com
> servicePrincipalName: WSMAN/myhost
> servicePrincipalName: TERMSRV/myhost.example.com
> servicePrincipalName: TERMSRV/MYHOST
> One of which does match with the username in Tim's output, btw. I
> have seen exactly the same username format while I was setting this
> up around a month ago.
> - Kees.
So NTLM (and Kerberos client) authentication is not possible with an
SPN, but many folks work around it by selecting one of these and having
that in the UPN, eg
userPrincipalName:?HOST/myhost.example.com at example.com
This is about the (unusual) username pattern Tim is using, you may be
logging in with myhost$, which would work normally.
Andrew Bartlett>
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba