Chaps, I'm trying to get a radius server to authenticate to AD via the samba ntlm_auth program. I've just built samba vsn 3.0.21c with the following config parameters ./configure --with-pam --enable-socket-wrapper --with-ldapsam --with-syslog --with-ldap --with-winbind My smb.conf has global] workgroup = ADIR security = domain password server = 150.237.54.198 realm = ADIR.HULL.AC.UK preferred master = no server string = Hull Comms support server security = ADS use spnego = yes encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 winbind separator = + bind interfaces only =yes interfaces =150.237.47.22 127.0.0.1 idmap gid = 10000-20000 idmap uid = 10000-20000 client NTLMv2 auth=yes running /usr/local/bin/samba/ntlm_auth --userid=fred --pasword=something --domain=ADIR.HULL.AC.UK works just fine (See log from radius server) BUT when the radius server invokes nltm_auth I always get a wrong psassword error. Thu Mar 9 16:04:27 2006: INFO: Starting NtlmAuthProg: /usr/local/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1 Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute Request-User-Session-Key: Yes Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute LANMAN-Challenge: d5fa33d1b1953e0a Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute NT-Response: 9f135b59e47cdfa0c51535d78b57587e3ebfcc6e6a64ae90 Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute NT-Domain:: QURJUi5IVUxMLkFDLlVL Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute Username:: Y2NzYXMThu Mar 9 16:04:27 2006: DEBUG: Received attribute: Authenticated: No Thu Mar 9 16:04:27 2006: DEBUG: Received attribute: Authentication-Error: Wrong Password Thu Mar 9 16:04:27 2006: DEBUG: Received attribute: . Thu Mar 9 16:04:27 2006: WARNING: NTLM Could not authenticate user: Wrong Password Thu Mar 9 16:04:27 2006: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM Password check failed: ccsas [ccsas] Thu Mar 9 16:04:27 2006: DEBUG: AuthBy NTLM result: REJECT, AuthBy NTLM Password check failed Thu Mar 9 16:04:27 2006: DEBUG: calling_station_hook:Access-Request called Thu Mar 9 16:04:27 2006: DEBUG: calling_station_hook:exited Thu Mar 9 16:04:27 2006: INFO: Access rejected for ccsas: AuthBy NTLM Password check failed Thu Mar 9 16:04:27 2006: DEBUG: Converted EAP-MSCHAPV2 response Packet dump: If we turn down the AD auth to use ntlm then authentication works o.k. Running the following script #!/bin/sh /usr/local/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1<<EOF Request-User-Session-Key: yes Request-LanMan-Session-Key: yes LANMAN-Challenge: d5fa33d1b1953e0a NT-Response: 9f135b59e47cdfa0c51535d78b57587e3ebfcc6e6a64ae90 NT-Domain:: QURJUi5IVUxMLkFDLlVL Username:: Y2NzYXM. Also fails and gives the same wrong password message Looking in the /var/log/samba/winbindd log file I see [2006/03/09 16:28:55, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(454) [ 0]: request interface version [2006/03/09 16:28:55, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(487) [ 0]: request location of privileged pipe [2006/03/09 16:28:55, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(519) [ 0]: pam auth crap domain: [ADIR.HULL.AC.UK] user: ccsas
Andrew Bartlett
2006-Mar-10 06:56 UTC
[Samba] Using ntlm_auth to authneticate to an NTLMv2 AD
On Thu, 2006-03-09 at 16:48 +0000, Alex Sharaz wrote:> Chaps, > > I'm trying to get a radius server to authenticate to AD via the samba > ntlm_auth program.> If we turn down the AD auth to use ntlm then authentication works o.k.The problem is that MSCHAPv2 is cryptographically equivalent to NTLM, not NTLMv2 at the DC end. I suspect there is a flag we need to send to the DC, to make it ignore it's own policy here. Any help chasing this down gratefully appreciated: Mostly I need to see how an MS RADIUS server would achieve the same results, but with 'secure channel: require signing' set, rather than sealing (it is a local/domain policy). (This will allow the collection of an ethereal trace between the RADIUS server and the DC). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20060310/4a4f90cf/attachment.bin
While we're trying to get the tracing for this, I was wondering if there was another solution we could implement. Our AD team have put my linux box into its own part of the AD tree i.e. ou=linux,dc=hull, dc=ac,dc=uk I don't know anything about AD but was wondering if it were possible to change the security requirements for the "linux" portion of the tree to be NTLM. I know this works Would this be doable? -----Original Message----- From: Andrew Bartlett [mailto:abartlet@samba.org] Sent: 10 March 2006 06:56 To: Alex Sharaz Cc: samba@lists.samba.org Subject: Re: [Samba] Using ntlm_auth to authneticate to an NTLMv2 AD On Thu, 2006-03-09 at 16:48 +0000, Alex Sharaz wrote:> Chaps, > > I'm trying to get a radius server to authenticate to AD via the samba > ntlm_auth program.> If we turn down the AD auth to use ntlm then authentication workso.k. The problem is that MSCHAPv2 is cryptographically equivalent to NTLM, not NTLMv2 at the DC end. I suspect there is a flag we need to send to the DC, to make it ignore it's own policy here. Any help chasing this down gratefully appreciated: Mostly I need to see how an MS RADIUS server would achieve the same results, but with 'secure channel: require signing' set, rather than sealing (it is a local/domain policy). (This will allow the collection of an ethereal trace between the RADIUS server and the DC). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
Reasonably Related Threads
- Problems joining a RHEL4.0 version of samba to an active directory
- Small problem with XP client
- knit and smbclient executed with different users but no error thrown
- knit and smbclient executed with different users but no error thrown
- problem with xp profiles and My documents contents