On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: Unfortunately it's still erroring out: (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk (7) mschap: Client is using MS-CHAPv2> Is this set as a UPN (with the realm appended) on the user?I don't see any UPN's in my AD record, only SPNs - unless I misunderstand you? I've run the 'radtest' client with '-t mschap' and without as parameters. Without '-t mschap' works, but with it fails. I've narrowed down the authenticating DC, turned up logging and found this: [2023/04/04 08:36:31.653500, 3] ../../source4/auth/ntlm/auth.c:207(auth_check_password_send) auth_check_password_send: Checking password for unmapped user [lambrook]\[tim.odriscoll]@[\\FILESB01] auth_check_password_send: user is: [lambrook]\[tim.odriscoll]@[\\FILESB01] [2023/04/04 08:36:31.653534, 5] ../../source4/auth/ntlm/auth.c:70(auth_get_challenge) auth_get_challenge: returning previous challenge by module netr_LogonSamLogonWithFlags (normal) [2023/04/04 08:36:31.662327, 2] ../../libcli/auth/ntlm_check.c:473(ntlm_password_check) ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user tim.odriscoll [2023/04/04 08:36:31.662372, 3] ../../libcli/auth/ntlm_check.c:480(ntlm_password_check) ntlm_password_check: NEITHER LanMan nor NT password supplied for user tim.odriscoll [2023/04/04 08:36:31.665652, 5] ../../source4/dsdb/common/util.c:5638(dsdb_update_bad_pwd_count) I've got this on all my DC's /etc/samba/smb.conf files: ntlm auth = mschapv2-and-ntlmv2-only So, am I correct in thinking that the ntlm_auth client is not using ntlmv2? FreeRADIUS reports this on the error: (21) Found Auth-Type = mschap (21) # Executing group from file /etc/raddb/sites-enabled/default (21) authenticate { (21) mschap: Client is using MS-CHAPv1 with NT-Password (21) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=lambrook --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (21) mschap: EXPAND --username=%{%{mschap:User-Name}:-00} (21) mschap: --> --username=tim.odriscoll (21) mschap: mschap1: 39 (21) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (21) mschap: --> --challenge=3985fc5b9031d694 (21) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (21) mschap: --> --nt-response=32f3fe95ffa414578c60e77fca9f28af183055a5f46f262d (21) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (21) mschap: External script failed (21) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (21) mschap: ERROR: MS-CHAP2-Response is incorrect My radtest experiment: # radtest tim.odriscoll MYPASS localhost 10 testing123 Sent Access-Request Id 138 from 0.0.0.0:41829 to 127.0.0.1:1812 length 99 ??????User-Name = "tim.odriscoll" ??????User-Password = "MYPASS" ??????NAS-IP-Address = 192.168.15.22 ??????NAS-Port = 10 ??????Message-Authenticator = 0x00 ??????Cleartext-Password = "MYPASS" Received Access-Accept Id 138 from 127.0.0.1:1812 to 127.0.0.1:41829 length 36 ??????Tunnel-Type:0 = VLAN ??????Tunnel-Medium-Type:0 = IEEE-802 ??????Tunnel-Private-Group-Id:0 = "30" # radtest -t mschap tim.odriscoll MYPASS localhost 10 testing123 Sent Access-Request Id 108 from 0.0.0.0:33568 to 127.0.0.1:1812 length 139 ??????User-Name = "tim.odriscoll" ??????MS-CHAP-Password = "MYPASS" ??????NAS-IP-Address = 192.168.15.22 ??????NAS-Port = 10 ??????Message-Authenticator = 0x00 ??????Cleartext-Password = "MYPASS" ??????MS-CHAP-Challenge = 0x84b5ae5ac964eb2c ??????MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000da7a0095a13df2402e71c6c167eef1f1ae48514b721fa091 Received Access-Reject Id 108 from 127.0.0.1:1812 to 127.0.0.1:33568 length 61 ??????MS-CHAP-Error = "\000E=691 R=1 C=3e440e2c7065d8fb V=2" (0) -: Expected Access-Accept got Access-Reject Thank you for your assistance - I'm totally out of my depth here! Tim
On Tue, 2023-04-04 at 07:55 +0000, Tim ODriscoll wrote:> On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: > > > > > > Unfortunately it's still erroring out: > > (7) mschap: Creating challenge hash with username: host/SL- > > 6S4BBS3.MYDOMAIN.co.uk > > (7) mschap: Client is using MS-CHAPv2 > > > > > Is this set as a UPN (with the realm appended) on the user? > > > > > I don't see any UPN's in my AD record, only SPNs - unless I > misunderstand you? > > > > > > > > > I've run the 'radtest' client with '-t mschap' and without as > parameters. Without '-t mschap' works, but with it fails. > > > > > > > > I've narrowed down the authenticating DC, turned up logging and found > this: > > > [2023/04/04 08:36:31.653500, 3] > ../../source4/auth/ntlm/auth.c:207(auth_check_password_send) > auth_check_password_send: Checking password for unmapped user > [lambrook]\[tim.odriscoll]@[\\FILESB01] > > auth_check_password_send: user is: > [lambrook]\[tim.odriscoll]@[\\FILESB01] > > [2023/04/04 08:36:31.653534, 5] > ../../source4/auth/ntlm/auth.c:70(auth_get_challenge) > > auth_get_challenge: returning previous challenge by module > netr_LogonSamLogonWithFlags (normal) > > [2023/04/04 08:36:31.662327, 2] > ../../libcli/auth/ntlm_check.c:473(ntlm_password_check) > > ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user > tim.odriscollYou said earlier that you have set ntlm auth = mschapv2-and-ntlmv2-only This means to reject NTLMv1, which MSCHAPv2 is cryptographically, unless the client makes special pleading that it used MSCHAPv2 with it's client. This is related to the missing ntlm_auth option --allow-mschapv2 -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst.Net Limited Catalyst.Net Ltd - a Catalyst IT group company - Expert Open SourceSolutions