Mary Stevens
2007-Apr-26 21:05 UTC
[Samba] ntlm_auth to AD with only ntlmv2 enabled failing
Hello,
We have samba 3.0.23 installed. We are using free radius to take
authentication requests from a nortel vpn server and using ntlm_auth
trying to authenticate users against AD.
This setup works fine when on the AD side ntlmv1 and ntlmv2 are enabled.
(IE. Users can authenticate).
However, when only ntlmv2 is enabled users are unable to authenticate.
I have searched various places and while I have seen a couple of other
questions about getting this to work, I haven't found any answers.
When I have the radius server in debug mode I see the following when just
ntlmv2 is enabled on the AD side:
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for stevens3 with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: f0
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth -debug=10 --logfile=/tmp
--request-nt-key --domain=adtest --username=stevens3
--challenge=3316410b7682eede
--nt-response=b929ed540a9705a79165ae8bc8b11f3c039f3a8100d81c3e'
Exec-Program: /usr/bin/ntlm_auth -debug=10 --logfile=/tmp --request-nt-key
--domain=adtest --username=stevens3 --challenge=3316410b7682eede
--nt-response=b929ed540a9705a79165ae8bc8b11f3c039f3a8100d81c3e
[2007/04/26 13:23:50, 5] lib/debug.c:debug_dump_status(391)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 0
modcall: leaving group MS-CHAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect: [stevens3] (from client nortelnew port 47)
Delaying request 0 for 1 seconds
In the smb.conf file I have
client NTLMv2 auth = yes
In radiusd.conf file the ntlm_auth line looks like(all as one line in the
file, but the mail reader is breaking it up):
ntlm_auth = "/usr/bin/ntlm_auth -debug=10 --logfile=/tmp
--request-nt-key --domain=adtest
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
I have also tried in the radiusd.conf file
with_ntdomain_hack = no
and
with_ntdomain_hack = yes
It didn't make any difference
With the radius server in debug mode, I see the following when both ntlmv1
and ntlmv2 are enabled on the AD side(ie. a successful auth):
modcall[authorize]: module "auth_log" returns ok for request 1
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
modcall[authorize]: module "mschap" returns ok for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry DEFAULT at line 29
modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
Found Autz-Type UIUCnet-Autz
Processing the authorize section of radiusd.conf
modcall: entering group UIUCnet-Autz for request 1
modcall[authorize]: module "mysql_block" returns notfound for
request 1
modcall[authorize]: module "ccso_ph" returns ok for request 1
modcall: leaving group UIUCnet-Autz (returns ok) for request 1
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 1
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for stevens3 with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'Chall
enge'
mschap2: 9d
radius_xlat: Running registered xlat function of module mschap for string
'NT-Re
sponse'
radius_xlat: '/usr/bin/ntlm_auth -debug=10 --logfile=/tmp
--request-nt-key --do
main=adtest --username=stevens3 --challenge=08cb598bb48bab8c
--nt-response=202fa
7d944da7715ef8bf23a0b1b3d08d91345e2e26344da'
Exec-Program: /usr/bin/ntlm_auth -debug=10 --logfile=/tmp --request-nt-key
--dom
ain=adtest --username=stevens3 --challenge=08cb598bb48bab8c
--nt-response=202fa7
d944da7715ef8bf23a0b1b3d08d91345e2e26344da
[2007/04/26 14:36:52, 5] lib/debug.c:debug_dump_status(391)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
Exec-Program output: NT_KEY: 55766444E6C4E3016575DE3819ABDED0
Exec-Program-Wait: plaintext: NT_KEY: 55766444E6C4E3016575DE3819ABDED0
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok for request 1
modcall: leaving group MS-CHAP (returns ok) for request 1
Login OK: [stevens3] (from client nortelnew port 63)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 1
radius_xlat:
'/services/ct-radius/run/var/log/radius/radacct/192.17.144.2/reply
-detail-20070426'
rlm_detail:
/services/ct-radius/run/var/log/radius/radacct/%{Client-IP-Address}/
reply-detail-%Y%m%d expands to
/services/ct-radius/run/var/log/radius/radacct/19
2.17.144.2/reply-detail-20070426
modcall[post-auth]: module "reply_log" returns ok for request 1
modcall: leaving group post-auth (returns ok) for request 1
Sending Access-Accept of id 39 to 192.17.144.2 port 3925
MS-CHAP2-Success 0x02533d443734324339383338444541434146303141354346334
13437363433363142464138313937314638
MS-MPPE-Recv-Key = 0xdc756f09359a7d521ae376189c6c4449
MS-MPPE-Send-Key = 0x237c89f4e9decfb9031e36f073218ba2
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x00000004
Finished request 1
Any clues which might get this working would be appreciated. From the
docs it seems like this should be working.
Thanks
mary stevens
Andrew Bartlett
2007-Apr-27 07:20 UTC
[Samba] ntlm_auth to AD with only ntlmv2 enabled failing
On Thu, 2007-04-26 at 15:51 -0500, Mary Stevens wrote:> Hello, > > We have samba 3.0.23 installed. We are using free radius to take > authentication requests from a nortel vpn server and using ntlm_auth > trying to authenticate users against AD. > > This setup works fine when on the AD side ntlmv1 and ntlmv2 are enabled. > (IE. Users can authenticate). > > However, when only ntlmv2 is enabled users are unable to authenticate. > I have searched various places and while I have seen a couple of other > questions about getting this to work, I haven't found any answers.The problem is, MSCHAPv2 *is* ntlm1, so everything is working exactly as expected. Microsoft clearly has a workaround, allowing the member server to say 'pretend this is NTLMv2, even if it is not', to allow RADIUS to work. I need to see clear (ie, disable schannel protection) traces of this traffic (and comparisons with NTLMv1 requests) to determine the flag in use, so that we can reproduce the behaviour. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20070427/b44ccbf2/attachment.bin