On Tue, 2023-04-04 at 07:55 +0000, Tim ODriscoll wrote:> On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote:
>
>
>
>
> > Unfortunately it's still erroring out:
> > (7) mschap: Creating challenge hash with username: host/SL-
> > 6S4BBS3.MYDOMAIN.co.uk
> > (7) mschap: Client is using MS-CHAPv2
>
>
>
> > Is this set as a UPN (with the realm appended) on the user?
>
>
>
>
> I don't see any UPN's in my AD record, only SPNs - unless I
> misunderstand you?
>
>
>
>
>
>
>
>
> I've run the 'radtest' client with '-t mschap' and
without as
> parameters. Without '-t mschap' works, but with it fails.
>
>
>
>
>
>
>
> I've narrowed down the authenticating DC, turned up logging and found
> this:
>
>
> [2023/04/04 08:36:31.653500, 3]
> ../../source4/auth/ntlm/auth.c:207(auth_check_password_send)
> auth_check_password_send: Checking password for unmapped user
> [lambrook]\[tim.odriscoll]@[\\FILESB01]
>
> auth_check_password_send: user is:
> [lambrook]\[tim.odriscoll]@[\\FILESB01]
>
> [2023/04/04 08:36:31.653534, 5]
> ../../source4/auth/ntlm/auth.c:70(auth_get_challenge)
>
> auth_get_challenge: returning previous challenge by module
> netr_LogonSamLogonWithFlags (normal)
>
> [2023/04/04 08:36:31.662327, 2]
> ../../libcli/auth/ntlm_check.c:473(ntlm_password_check)
>
> ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user
> tim.odriscoll
You said earlier that you have set ntlm auth = mschapv2-and-ntlmv2-only
This means to reject NTLMv1, which MSCHAPv2 is cryptographically,
unless the client makes special pleading that it used MSCHAPv2 with
it's client.
This is related to the missing ntlm_auth option --allow-mschapv2
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member
(since 2001) https://samba.orgSamba Team Lead, Catalyst IT
https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst.Net Limited
Catalyst.Net Ltd - a Catalyst IT group company - Expert Open SourceSolutions