Ok, I finally could try it out, and it seems to actually work, but You need samba 4.7 on all machines, not only AD, but also server with freeradius. I didn't get a chance to test it locally, that is samba AD + freeradius on the same server. Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work (got simple "nt_status_wrong_password") but: 4.7.6 AD and 4.7.1 samba + freeradius works just fine. It's clearly visible in logs. While using "ntlm auth = yes" I was getting in audit log Authentication_passwordType = NTLMv1, but with ntlm auth = ntlmv2-and-mschap2-only audit log shows Authentication_passwordType as "MSCHAP2" Not sure what's the case, maybe only starting with samba 4.7 ntlm_auth can send correct flag? Hope that helps. W dniu 26.03.2018 o 22:16, Jonathan Hunter via samba pisze:> On 26 March 2018 at 14:31, Kacper Wirski via samba <samba at lists.samba.org> > wrote: > >> Also I just facepalmed, as I double checked smb.conf right after sending >> mail, and in samba 4.7 there are new options available for "ntlm auth", as >> stated in docs: >> >> |mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises >> that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool). >> [...] >> I'll test it out later today and give some feedback if needed. >> > I tried exactly this a few days ago, and couldn't get it working. > Admittedly, I didn't spend too long on it, but I changed 'ntlm auth = yes' > to 'ntlm auth = mschapv2-and-ntlmv2-only' but freeradius then didn't > authenticate me.. > > Do let me know how it goes for you, I also thought that this setting would > be much better for me.. > > Alternatively.. if there is a way of setting 'ntlm auth' on a per-IP basis, > then I could only enable it for the freeradius server. I wonder if I can > add 'include = /usr/local/samba/etc/smb.conf.%I' and then include 'ntlm > auth = yes' in a smb.conf just for the freeradius server.. I will report > back! >
On Mon, 26 Mar 2018 22:38:20 +0200 Kacper Wirski via samba <samba at lists.samba.org> wrote:> Ok, I finally could try it out, and it seems to actually work, but > You need samba 4.7 on all machines, not only AD, but also server with > freeradius. I didn't get a chance to test it locally, that is samba > AD + freeradius on the same server. > > Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't > work (got simple "nt_status_wrong_password") > > but: 4.7.6 AD and 4.7.1 samba + freeradius works just fine. It's > clearly visible in logs. > > While using "ntlm auth = yes" I was getting in audit log > Authentication_passwordType = NTLMv1, but with ntlm auth = > ntlmv2-and-mschap2-only audit log shows Authentication_passwordType > as "MSCHAP2" > > Not sure what's the case, maybe only starting with samba 4.7 > ntlm_auth can send correct flag? >From 4.7.0, the default for 'ntlm auth' changed from 'no' to 'ntlmv2-only', but two new values were created as well, 'mschapv2-and-ntlmv2-only' and 'disabled'. The former now allows MSCHAPv2 without NTLMv1, the later disables NTLMv1 entirely. Rowland
On 26 March 2018 at 21:38, Kacper Wirski via samba <samba at lists.samba.org> wrote:> > While using "ntlm auth = yes" I was getting in audit log > Authentication_passwordType = NTLMv1, but with ntlm auth > ntlmv2-and-mschap2-only audit log shows Authentication_passwordType as > "MSCHAP2" > > Thanks.(FYI - the correct parameter is 'mschapv2-and-ntlmv2-only' :) ) With ntlm-auth set to this, I get '[NTLMv1] status [NT_STATUS_WRONG_PASSWORD]'. Setting back to 'ntlm-auth=yes' in smb.conf, I get '[NTLMv1] status [NT_STATUS_OK]' and things work again. Adding 'ntlm-auth=yes' to a newly included (via 'include = smb.conf.%I') file called "smb.conf.127.0.0.1" doesn't help me, since ntlm-auth talks to winbindd as far as I can see, and therefore that new config file is never used. Kacper - what do you have in your freeradius config, in terms of your ntlm_auth command line? Cheers Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Hello,
I've done some further testing, and I have to correct myself.
I was (kind of obviously as I think about it) wrong about samba on the
freeradius server requiring v. 4.7. What makes all the difference is the
method used by mschap.
Traditionally in freeradius in mods-available/mschap you'll use
something like:
ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{mschap:User-Name}
--domain=DOMAIN--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
but starting form freeradius 3.0.8 there is "newer" winbind method,
using directly winbind daemon. From the docs it actually still uses
ntlm_auth, but for whatever reason this works, and "traditional"
ntlm_auth doesn't.
So in your freeradius mods-enabled/mschap instead of ntlm_auth...... put
something like this:
winbind_username = "%{mschap:User-Name}"
winbind_domain = "*WINDOWSDOMAIN*"
(not sure about external links in the mailing list, but here is the link to the
freeradius doc explaining in detail:
https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
What I can't test right now, if it will work with mchapv2 password change
(if required), since freeradius relies directly on ntlm_auth there.
My question on the other hand is this:
- Why this "winbind" method works fine with "ntlm auth =
mschpav2-and-ntlmv2-only" on the AD DC, but "ntlm_auth"
doesn't? Winbind method supposedly also uses ntlm_auth in the end?
Regards,
Kacper
W dniu 26.03.2018 o 23:09, Jonathan Hunter via samba
pisze:> On 26 March 2018 at 21:38, Kacper Wirski via samba <samba at
lists.samba.org>
> wrote:
>
>> While using "ntlm auth = yes" I was getting in audit log
>> Authentication_passwordType = NTLMv1, but with ntlm auth >>
ntlmv2-and-mschap2-only audit log shows Authentication_passwordType as
>> "MSCHAP2"
>>
>> Thanks.
> (FYI - the correct parameter is 'mschapv2-and-ntlmv2-only' :) )
>
> With ntlm-auth set to this, I get '[NTLMv1] status
> [NT_STATUS_WRONG_PASSWORD]'.
>
> Setting back to 'ntlm-auth=yes' in smb.conf, I get '[NTLMv1]
status
> [NT_STATUS_OK]' and things work again.
>
> Adding 'ntlm-auth=yes' to a newly included (via 'include =
smb.conf.%I')
> file called "smb.conf.127.0.0.1" doesn't help me, since
ntlm-auth talks to
> winbindd as far as I can see, and therefore that new config file is never
> used.
>
> Kacper - what do you have in your freeradius config, in terms of your
> ntlm_auth command line?
>
> Cheers
>
> Jonathan
>