Hello Helper, i found this bug report: https://bugzilla.samba.org/show_bug.cgi?id=12252 At this time i have a samba 4.1.6 Domain Controller and Freeradius-Server. The authentication works pretty well in 4.1.6. Now I built a new Domain Controller from source, version 4.5.0. The configuration like 4.1.6, but now I have an authentication issue. There is no helpfull information in freeradius log :(. Briefly, cant authenticate my users over freeradius with SAMBA 4.5.0. I guess the bug report answered my question. Do you think SAMBA4 will provide/activate this function again in next patch? Or i really have to modify the source code? Is it possible to make the changes in source code and "over" install it to the current system? With best regards Micha
Downgrade to 4.4.5 and see what happens. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Micha Ballmann > via samba > Verzonden: maandag 10 oktober 2016 10:30 > Aan: samba at lists.samba.org > Onderwerp: [Samba] SAMBA 4.5.0 > > Hello Helper, > > i found this bug report: > > https://bugzilla.samba.org/show_bug.cgi?id=12252 > > At this time i have a samba 4.1.6 Domain Controller and Freeradius-Server. > The authentication works pretty well in 4.1.6. Now I built a new Domain > Controller from source, version 4.5.0. The configuration like 4.1.6, but > now I have an authentication issue. There is no helpfull information in > freeradius log :(. Briefly, cant authenticate my users over freeradius > with SAMBA 4.5.0. > > I guess the bug report answered my question. Do you think SAMBA4 will > provide/activate this function again in next patch? Or i really have to > modify the source code? Is it possible to make the changes in source code > and "over" install it to the current system? > > With best regards > Micha > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Mon, 10 Oct 2016 10:30:24 +0200 Micha Ballmann via samba <samba at lists.samba.org> wrote:> Hello Helper, > > i found this bug report: > > https://bugzilla.samba.org/show_bug.cgi?id=12252 > > At this time i have a samba 4.1.6 Domain Controller and > Freeradius-Server. The authentication works pretty well in 4.1.6. Now > I built a new Domain Controller from source, version 4.5.0. The > configuration like 4.1.6, but now I have an authentication issue. > There is no helpfull information in freeradius log :(. Briefly, cant > authenticate my users over freeradius with SAMBA 4.5.0. I guess the > bug report answered my question. Do you think SAMBA4 will > provide/activate this function again in next patch? Or i really have > to modify the source code? Is it possible to make the changes in > source code and "over" install it to the current system? With best > regards MichaIf you read the release notes for 4.5.0, you will find this: NTLMv1 authentication disabled by default ----------------------------------------- In order to improve security we have changed the default value for the "ntlm auth" option from "yes" to "no". This may have impact on very old clients which doesn't support NTLMv2 yet. The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. By default, Samba will only allow NTLMv2 via NTLMSSP now, as we have the following default "lanman auth = no", "ntlm auth = no" and "raw NTLMv2 auth = no". If you must use the insecure 'ntlm', I am sure you can work out from the above what you must add to smb.conf Personally, I think freeradius need to up their game, I found this on their wiki, under the heading 'guide/FreeRADIUS Active Directory Integration HOWTO' The following components are required to install the access control solution: A Linux/Unix server (only Linux is covered) FreeRADIUS 3.0.x Samba 3.0.x Openssl Cisco Catalyst Switch Windows >= Win2K SP4 XP As anbody told freeradius that the Samba 3.0.x series went EOL in 2009 ? and that Win2K & XP are also EOL ? And people complain about the Samba wiki LOL Rowland
Freeradius has a module ntlm_auth witch should point to the ntlm_auth from your Samba version and must be configured with your domain information. BR, Marcel 2016-10-10 10:30 GMT+02:00 Micha Ballmann via samba <samba at lists.samba.org>:> Hello Helper, > > i found this bug report: > > https://bugzilla.samba.org/show_bug.cgi?id=12252 > > At this time i have a samba 4.1.6 Domain Controller and Freeradius-Server. > The authentication works pretty well in 4.1.6. Now I built a new Domain > Controller from source, version 4.5.0. The configuration like 4.1.6, but > now I have an authentication issue. There is no helpfull information in > freeradius log :(. Briefly, cant authenticate my users over freeradius with > SAMBA 4.5.0. > > I guess the bug report answered my question. Do you think SAMBA4 will > provide/activate this function again in next patch? Or i really have to > modify the source code? Is it possible to make the changes in source code > and "over" install it to the current system? > > With best regards > Micha > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
> If you read the release notes for 4.5.0, you will find this: > > NTLMv1 authentication disabled by default > ----------------------------------------- > > In order to improve security we have changed > the default value for the "ntlm auth" option from > "yes" to "no". This may have impact on very old > clients which doesn't support NTLMv2 yet. > >Would this explain why when trying to run a Classic/NT DC on Samba 4.5.0, XP clients cannot join the domain or authenticate, whereas with 4.4.6 they can (W7 clients are OK for both versions)? Cheers, Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
Just a note: I read the changelog and was aware of the change. However, I was not aware, that almost none of our network scanners would support NTLMv2. Different models and brands. Therefore, I was forced to revert this change. Best regards, Tim On 10.10.2016 11:31, Rowland Penny via samba wrote:> If you read the release notes for 4.5.0, you will find this: > NTLMv1 authentication disabled by default > ----------------------------------------- > > In order to improve security we have changed > the default value for the "ntlm auth" option from > "yes" to "no". This may have impact on very old > clients which doesn't support NTLMv2 yet. > > The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. > > By default, Samba will only allow NTLMv2 via NTLMSSP now, > as we have the following default "lanman auth = no", > "ntlm auth = no" and "raw NTLMv2 auth = no". > > If you must use the insecure 'ntlm', I am sure you can work out from > the above what you must add to smb.conf >