Hello All, After updating to sernet-samba-4.6.4, ntlm_auth doesn't appear to work for me with challenge and nt-responses. I'm using ntlm_auth in freeradius to authenticate my wifi users against my AD. In sernet-samba-4.2.14 it was working perfectly. My freeradius server is an AD Member, and I've got two other sernet-samba-4.6.4 AD DC's. $ ntlm_auth --request-nt-key --domain=LAMBROOK --username=tim.odriscoll --password=<mypass> NT_STATUS_OK: Success (0x0) $ ntlm_auth --request-nt-key --domain=LAMBROOK --username=tim.odriscoll --password=<mypass> --challenge=<challenge-from-radtest> --nt-response=<response-from-radtest> Logon failure (0xc000006d) Is it safe to use the challenge/responses from a recent radtest command in my ntlm_auth testing? How can I dig deeper into this problem and get to the bottom of it? Many thanks, Tim
Edit: When running 'winbindd -SFd5', I see a little more of the problem after I run my two ntlm_auth commands one after the other. I believe the 'crap' part is an acronym for 'Challenge Response Authentication Protocol', so why would it be failing? [ 2202]: request interface version (version = 28) [ 2202]: request location of privileged pipe getgroups root Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED [ 2205]: request interface version (version = 28) [ 2205]: request location of privileged pipe [ 2205]: request misc info [ 2205]: pam auth LAMBROOK+tim.odriscoll child daemon request 13 [ 2160]: dual pam auth LAMBROOK+tim.odriscoll rpc_api_pipe: host mail3.lambrookschool.co.uk rpc_write_send: data_to_write: 376 rpc_read_send: data_to_read: 872 Plain-text authentication for user LAMBROOK+tim.odriscoll returned NT_STATUS_OK (PAM: 0) Finished processing child request 13 [ 2210]: request interface version (version = 28) [ 2210]: request location of privileged pipe getgroups root Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED [ 2222]: request interface version (version = 28) [ 2222]: request location of privileged pipe getgroups root Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED Idle client timed out, shutting down sock 23, pid 2183 [ 2240]: request interface version (version = 28) [ 2240]: request location of privileged pipe [ 2240]: request domain name [ 2240]: pam auth crap domain: [LAMBROOK] user: tim.odriscoll child daemon request 14 [ 2160]: pam auth crap domain: LAMBROOK user: tim.odriscoll rpc_api_pipe: host mail3.lambrookschool.co.uk rpc_write_send: data_to_write: 424 rpc_read_send: data_to_read: 104 NTLM CRAP authentication for user [LAMBROOK]\[tim.odriscoll] returned NT_STATUS_WRONG_PASSWORD Finished processing child request 14 Many thanks, Tim
On 29 May 2017 12:32>When running 'winbindd -SFd5', I see a little more of the problem after I run my two ntlm_auth commands > one after the other. I believe the 'crap' part is an acronym for 'Challenge Response > Authentication Protocol', so why would it be failing?Edit2: wbinfo -a tim.odriscoll%<mypass> works perfectly, with the winbindd debug logs showing the same output as ntlm_auth except with success messages. So, am I correct in assuming the challenge/response's that freeradius is calculating are incorrect? Many thanks, Tim