Hello,
I can definately confirm that it's working.
My basic setup is:
1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7
2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight
from centos repo. // I tested also on freeradius 3.0.14 and samba 4.7.x
smb.conf on the DC is pretty basic, most important is obviously in
[globall]:
ntlm auth = mschapv2-and-ntlmv2-only
On server with freeradius + samba 4.6.2:
machine is added to AD using samba with net ads join.
Most important configuration to make mschapv2 only with ntlmv1 overall
disabled (except for mschapv2) is setting in freeradius in
/mods-available/mschap:
mschap {
.....
ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2* --request-nt-key
--username=%{mschap:User-Name} --domain=WINDOWSDOMAIN
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
OR (if your Freeradius supports it)
winbind_username = "%{%{mschap:User-Name}:-00}"
winbind_domain = "WINDOWSDOMAIN"
The former works just fine, the latter requires freeradius to be built
with winbind auth, for example for centos i had to rebuild rpm and add
to ./configure path to winbind libraries.
That's all that's needed to change from the "standard", well
documented
freeradius/AD integration for the integration.
If there are going to be password changes with freeradius ("your
password has expired" - type - scenarios) You should probably also
configure in /mods-available/mschap additionaly:
passchange {
ntlm_auth = "/path/to/ntlm_auth
--helper-protocol=ntlm-change-password-1 *--allow-mschapv2*"
ntlm_auth_username = "username: %{mschap:User-Name}"
ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN"
I'm saying "should probably configure" because with the settings
as
above it works just fine, so even it's unnecessary, it doesn't break
anything, and unfortunately I was unable to test if it works (I doubt
it) without this option while denying ntlmv1 overall on ad dc.
If everything works as intented, in the AD DC audit log You will see
something like this:
{"timestamp": "some-date0", "type":
"Authentication", "Authentication":
{"version": {"major": 1, "minor": 0},
"status": "NT_STATUS_OK",
"localAddress": "ipv4:xxx.xxx.xxx.xxx",
"remoteAddress":
"ipv4:xxx.xxx.xxx.xxx:58046", "serviceDescription":
"SamLogon",
"authDescription": "network", "clientDomain":
"WINDOWSDOMAIN",
"clientAccount": "some-user", "workstation":
"\\\\SOME-HOST",
"becameAccount": "some-user", "becameDomain":
"WINDOWSDOMAIN",
"becameSid": "SOME-SID", "mappedAccount":
"some-user", "mappedDomain":
"WINDOWSDOMAIN", "netlogonComputer": "SOME-HOST",
"netlogonTrustAccount": "SOME-HOST$",
"netlogonNegotiateFlags":
"0x610FFFFF", "netlogonSecureChannelType": 2,
"netlogonTrustAccountSid":
"somesid, *"passwordType": "MSCHAPv2"*}}
Without "--allow-mschapv2" You would see
"passwordType":"NTLMv1".
Also I have no idea when ntlm_auth --allow-mschapv2 option was added?
W dniu 27.03.2018 o 10:06, Rowland Penny via samba
pisze:> On Tue, 27 Mar 2018 09:36:42 +0200
> "k.wirski via samba" <samba at lists.samba.org> wrote:
>
>> ok, tested it, and it works.
>>
>> so to summarize:
>> on samba ad 4.7.x in smb.conf "ntlm auth" is set to
>> "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and
4.7) in
>> mods-available/mschap you have to add to ntlm_auth --allow-mschapv2
>> to the whole string OR just use winbind method, which sets correct
>> flag without explicitly adding it.
> Not sure it will work with 4.6 as it doesn't have the required
> 'mschapv2-and-ntlmv2-only' option for 'ntlm auth'
>
>> with those settings ntlmv1 is blocked except for mschapv2, and it's
>> nicely visible in samba auth_audit log.
>>
>> I also tried password change with ntlm_auth (for expired password at
>> logon via FR) and it works fine too, with added --allow-mschapv2.
>>
>> I completely missed ntlm_auth option --allow-mschapv2!
>> Thank You for pointing it out.
>>
> If you can let us know just what you changed to get it working, I will
> put something on the Samba wiki.
>
> Rowland
>
On Tue, 27 Mar 2018 22:40:13 +0200 Kacper Wirski via samba <samba at lists.samba.org> wrote:> Hello, > > I can definately confirm that it's working. > > My basic setup is: > > 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7 > > 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages > straight from centos repo. // I tested also on freeradius 3.0.14 and > samba 4.7.x > > smb.conf on the DC is pretty basic, most important is obviously in > [globall]: > > ntlm auth = mschapv2-and-ntlmv2-only > > On server with freeradius + samba 4.6.2: > > machine is added to AD using samba with net ads join. > > Most important configuration to make mschapv2 only with ntlmv1 > overall disabled (except for mschapv2) is setting in freeradius in > /mods-available/mschap: > > mschap { > > ..... > > ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2* --request-nt-key > --username=%{mschap:User-Name} --domain=WINDOWSDOMAIN > --challenge=%{%{mschap:Challenge}:-00} > --nt-response=%{%{mschap:NT-Response}:-00}" > > OR (if your Freeradius supports it) > > winbind_username = "%{%{mschap:User-Name}:-00}" > winbind_domain = "WINDOWSDOMAIN" > > The former works just fine, the latter requires freeradius to be > built with winbind auth, for example for centos i had to rebuild rpm > and add to ./configure path to winbind libraries. > > That's all that's needed to change from the "standard", well > documented freeradius/AD integration for the integration. > > If there are going to be password changes with freeradius ("your > password has expired" - type - scenarios) You should probably also > configure in /mods-available/mschap additionaly: > > passchange { > ntlm_auth = "/path/to/ntlm_auth > --helper-protocol=ntlm-change-password-1 *--allow-mschapv2*" > ntlm_auth_username = "username: %{mschap:User-Name}" > ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN" > > I'm saying "should probably configure" because with the settings as > above it works just fine, so even it's unnecessary, it doesn't break > anything, and unfortunately I was unable to test if it works (I doubt > it) without this option while denying ntlmv1 overall on ad dc. > > If everything works as intented, in the AD DC audit log You will see > something like this: > {"timestamp": "some-date0", "type": "Authentication", > "Authentication": {"version": {"major": 1, "minor": 0}, "status": > "NT_STATUS_OK", "localAddress": "ipv4:xxx.xxx.xxx.xxx", > "remoteAddress": "ipv4:xxx.xxx.xxx.xxx:58046", "serviceDescription": > "SamLogon", "authDescription": "network", "clientDomain": > "WINDOWSDOMAIN", "clientAccount": "some-user", "workstation": > "\\\\SOME-HOST", "becameAccount": "some-user", "becameDomain": > "WINDOWSDOMAIN", "becameSid": "SOME-SID", "mappedAccount": > "some-user", "mappedDomain": "WINDOWSDOMAIN", "netlogonComputer": > "SOME-HOST", "netlogonTrustAccount": "SOME-HOST$", > "netlogonNegotiateFlags": "0x610FFFFF", "netlogonSecureChannelType": > 2, "netlogonTrustAccountSid": "somesid, *"passwordType": "MSCHAPv2"*}} > > Without "--allow-mschapv2" You would see "passwordType":"NTLMv1". > > Also I have no idea when ntlm_auth --allow-mschapv2 option was added? >Thanks, that gives me something to work with, I will add something to the Samba wiki ASAP (probably tomorrow) Rowland
On Tue, 2018-03-27 at 22:40 +0200, Kacper Wirski via samba wrote:> Hello, > > I can definately confirm that it's working. > > My basic setup is: > > 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7 > > 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight > from centos repo. // I tested also on freeradius 3.0.14 and samba 4.7.x > > smb.conf on the DC is pretty basic, most important is obviously in > [globall]: > > ntlm auth = mschapv2-and-ntlmv2-only > > On server with freeradius + samba 4.6.2: > > machine is added to AD using samba with net ads join. > > Most important configuration to make mschapv2 only with ntlmv1 overall > disabled (except for mschapv2) is setting in freeradius in > /mods-available/mschap: > > mschap { > > ..... > > ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2* --request-nt-key > --username=%{mschap:User-Name} --domain=WINDOWSDOMAIN > --challenge=%{%{mschap:Challenge}:-00} > --nt-response=%{%{mschap:NT-Response}:-00}" > > OR (if your Freeradius supports it) > > winbind_username = "%{%{mschap:User-Name}:-00}" > winbind_domain = "WINDOWSDOMAIN" > > The former works just fine, the latter requires freeradius to be built > with winbind auth, for example for centos i had to rebuild rpm and add > to ./configure path to winbind libraries. > > That's all that's needed to change from the "standard", well documented > freeradius/AD integration for the integration. > > If there are going to be password changes with freeradius ("your > password has expired" - type - scenarios) You should probably also > configure in /mods-available/mschap additionaly: > > passchange { > ntlm_auth = "/path/to/ntlm_auth > --helper-protocol=ntlm-change-password-1 *--allow-mschapv2*" > ntlm_auth_username = "username: %{mschap:User-Name}" > ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN"This will be still be allowed, even with NTLMv1 disabled, I consider it as strong as NTLMv2 for these purposes. If you turn of NTLM entirely (Samba 4.7) you will disable it.> I'm saying "should probably configure" because with the settings as > above it works just fine, so even it's unnecessary, it doesn't break > anything, and unfortunately I was unable to test if it works (I doubt > it) without this option while denying ntlmv1 overall on ad dc. > > If everything works as intented, in the AD DC audit log You will see > something like this: > {"timestamp": "some-date0", "type": "Authentication", "Authentication": > {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", > "localAddress": "ipv4:xxx.xxx.xxx.xxx", "remoteAddress": > "ipv4:xxx.xxx.xxx.xxx:58046", "serviceDescription": "SamLogon", > "authDescription": "network", "clientDomain": "WINDOWSDOMAIN", > "clientAccount": "some-user", "workstation": "\\\\SOME-HOST", > "becameAccount": "some-user", "becameDomain": "WINDOWSDOMAIN", > "becameSid": "SOME-SID", "mappedAccount": "some-user", "mappedDomain": > "WINDOWSDOMAIN", "netlogonComputer": "SOME-HOST", > "netlogonTrustAccount": "SOME-HOST$", "netlogonNegotiateFlags": > "0x610FFFFF", "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": > "somesid, *"passwordType": "MSCHAPv2"*}} > > Without "--allow-mschapv2" You would see "passwordType":"NTLMv1". > > Also I have no idea when ntlm_auth --allow-mschapv2 option was added?It was added in Samba 4.5.0rc1 with 0b500d413c5b76188c0c566318be7079b777237c I hope this helps! Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Dr. Peer-Joachim Koch
2018-Mar-28 06:18 UTC
[Samba] ODP: Re: freeradius + NTLM + samba AD 4.5.x
Hi, thank you very much for testing everything out. Great work! One question: passchange - which application are working with passchange on radius ? In the moment every user with an expired password is NOT able to use services using radius for authentication (WLAN,VPN). Is there any documentation available ? Bye, Peer On 27.03.2018 22:40, Kacper Wirski via samba wrote:> Hello, > > I can definately confirm that it's working. > > My basic setup is: > > 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7 > > 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight > from centos repo. // I tested also on freeradius 3.0.14 and samba 4.7.x > > smb.conf on the DC is pretty basic, most important is obviously in > [globall]: > > ntlm auth = mschapv2-and-ntlmv2-only > > On server with freeradius + samba 4.6.2: > > machine is added to AD using samba with net ads join. > > Most important configuration to make mschapv2 only with ntlmv1 overall > disabled (except for mschapv2) is setting in freeradius in > /mods-available/mschap: > > mschap { > > ..... > > ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2* --request-nt-key > --username=%{mschap:User-Name} --domain=WINDOWSDOMAIN > --challenge=%{%{mschap:Challenge}:-00} > --nt-response=%{%{mschap:NT-Response}:-00}" > > OR (if your Freeradius supports it) > > winbind_username = "%{%{mschap:User-Name}:-00}" > winbind_domain = "WINDOWSDOMAIN" > > The former works just fine, the latter requires freeradius to be built > with winbind auth, for example for centos i had to rebuild rpm and add > to ./configure path to winbind libraries. > > That's all that's needed to change from the "standard", well > documented freeradius/AD integration for the integration. > > If there are going to be password changes with freeradius ("your > password has expired" - type - scenarios) You should probably also > configure in /mods-available/mschap additionaly: > > passchange { > ntlm_auth = "/path/to/ntlm_auth > --helper-protocol=ntlm-change-password-1 *--allow-mschapv2*" > ntlm_auth_username = "username: %{mschap:User-Name}" > ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN" > > I'm saying "should probably configure" because with the settings as > above it works just fine, so even it's unnecessary, it doesn't break > anything, and unfortunately I was unable to test if it works (I doubt > it) without this option while denying ntlmv1 overall on ad dc. > > If everything works as intented, in the AD DC audit log You will see > something like this: > {"timestamp": "some-date0", "type": "Authentication", > "Authentication": {"version": {"major": 1, "minor": 0}, "status": > "NT_STATUS_OK", "localAddress": "ipv4:xxx.xxx.xxx.xxx", > "remoteAddress": "ipv4:xxx.xxx.xxx.xxx:58046", "serviceDescription": > "SamLogon", "authDescription": "network", "clientDomain": > "WINDOWSDOMAIN", "clientAccount": "some-user", "workstation": > "\\\\SOME-HOST", "becameAccount": "some-user", "becameDomain": > "WINDOWSDOMAIN", "becameSid": "SOME-SID", "mappedAccount": > "some-user", "mappedDomain": "WINDOWSDOMAIN", "netlogonComputer": > "SOME-HOST", "netlogonTrustAccount": "SOME-HOST$", > "netlogonNegotiateFlags": "0x610FFFFF", "netlogonSecureChannelType": > 2, "netlogonTrustAccountSid": "somesid, *"passwordType": "MSCHAPv2"*}} > > Without "--allow-mschapv2" You would see "passwordType":"NTLMv1". > > Also I have no idea when ntlm_auth --allow-mschapv2 option was added? > > W dniu 27.03.2018 o 10:06, Rowland Penny via samba pisze: >> On Tue, 27 Mar 2018 09:36:42 +0200 >> "k.wirski via samba" <samba at lists.samba.org> wrote: >> >>> ok, tested it, and it works. >>> >>> so to summarize: >>> on samba ad 4.7.x in smb.conf "ntlm auth" is set to >>> "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in >>> mods-available/mschap you have to add to ntlm_auth --allow-mschapv2 >>> to the whole string OR just use winbind method, which sets correct >>> flag without explicitly adding it. >> Not sure it will work with 4.6 as it doesn't have the required >> 'mschapv2-and-ntlmv2-only' option for 'ntlm auth' >> >>> with those settings ntlmv1 is blocked except for mschapv2, and it's >>> nicely visible in samba auth_audit log. >>> >>> I also tried password change with ntlm_auth (for expired password at >>> logon via FR) and it works fine too, with added --allow-mschapv2. >>> >>> I completely missed ntlm_auth option --allow-mschapv2! >>> Thank You for pointing it out. >>> >> If you can let us know just what you changed to get it working, I will >> put something on the Samba wiki. >> >> Rowland >> >-- Mit freundlichen Grüßen, Peer-Joachim Koch ________________________________________________________ Max-Planck-Institut für Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10 Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705
I also confirm that it's working fine with the setup below.
In my case, I also add --require-membership-of="My_Wifi_Group" to
ntlm-auth command in /etc/freeradius/3.0/mods-enabled/mschap. I hope it will
prevent some brute force on sensible accounts
For thus that are interested about MSChap + winbind authentication (not
ntlm_auth):
On freeradius mailing list, I found this interesting post:
http://lists.freeradius.org/pipermail/freeradius-users/2016-June/083958.html
It's talking about winbind group check starting with Freeradius v3.1.X
Have a nice day
-----Message d'origine-----
De : samba <samba-bounces at lists.samba.org> De la part de Kacper Wirski
via samba
Envoyé : mardi 27 mars 2018 22:40
À : samba at lists.samba.org
Objet : Re: [Samba] ODP: Re: freeradius + NTLM + samba AD 4.5.x
Hello,
I can definately confirm that it's working.
My basic setup is:
1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7
2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from
centos repo. // I tested also on freeradius 3.0.14 and samba 4.7.x
smb.conf on the DC is pretty basic, most important is obviously in
[globall]:
ntlm auth = mschapv2-and-ntlmv2-only
On server with freeradius + samba 4.6.2:
machine is added to AD using samba with net ads join.
Most important configuration to make mschapv2 only with ntlmv1 overall disabled
(except for mschapv2) is setting in freeradius in
/mods-available/mschap:
mschap {
.....
ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2* --request-nt-key
--username=%{mschap:User-Name} --domain=WINDOWSDOMAIN
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
OR (if your Freeradius supports it)
winbind_username = "%{%{mschap:User-Name}:-00}"
winbind_domain = "WINDOWSDOMAIN"
The former works just fine, the latter requires freeradius to be built with
winbind auth, for example for centos i had to rebuild rpm and add to ./configure
path to winbind libraries.
That's all that's needed to change from the "standard", well
documented freeradius/AD integration for the integration.
If there are going to be password changes with freeradius ("your password
has expired" - type - scenarios) You should probably also configure in
/mods-available/mschap additionaly:
passchange {
ntlm_auth = "/path/to/ntlm_auth
--helper-protocol=ntlm-change-password-1 *--allow-mschapv2*"
ntlm_auth_username = "username: %{mschap:User-Name}"
ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN"
I'm saying "should probably configure" because with the settings
as above it works just fine, so even it's unnecessary, it doesn't break
anything, and unfortunately I was unable to test if it works (I doubt
it) without this option while denying ntlmv1 overall on ad dc.
If everything works as intented, in the AD DC audit log You will see something
like this:
{"timestamp": "some-date0", "type":
"Authentication", "Authentication":
{"version": {"major": 1, "minor": 0},
"status": "NT_STATUS_OK",
"localAddress": "ipv4:xxx.xxx.xxx.xxx",
"remoteAddress":
"ipv4:xxx.xxx.xxx.xxx:58046", "serviceDescription":
"SamLogon",
"authDescription": "network", "clientDomain":
"WINDOWSDOMAIN",
"clientAccount": "some-user", "workstation":
"\\\\SOME-HOST",
"becameAccount": "some-user", "becameDomain":
"WINDOWSDOMAIN",
"becameSid": "SOME-SID", "mappedAccount":
"some-user", "mappedDomain":
"WINDOWSDOMAIN", "netlogonComputer": "SOME-HOST",
"netlogonTrustAccount": "SOME-HOST$",
"netlogonNegotiateFlags":
"0x610FFFFF", "netlogonSecureChannelType": 2,
"netlogonTrustAccountSid":
"somesid, *"passwordType": "MSCHAPv2"*}}
Without "--allow-mschapv2" You would see
"passwordType":"NTLMv1".
Also I have no idea when ntlm_auth --allow-mschapv2 option was added?
W dniu 27.03.2018 o 10:06, Rowland Penny via samba
pisze:> On Tue, 27 Mar 2018 09:36:42 +0200
> "k.wirski via samba" <samba at lists.samba.org> wrote:
>
>> ok, tested it, and it works.
>>
>> so to summarize:
>> on samba ad 4.7.x in smb.conf "ntlm auth" is set to
>> "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and
4.7) in
>> mods-available/mschap you have to add to ntlm_auth --allow-mschapv2
>> to the whole string OR just use winbind method, which sets correct
>> flag without explicitly adding it.
> Not sure it will work with 4.6 as it doesn't have the required
> 'mschapv2-and-ntlmv2-only' option for 'ntlm auth'
>
>> with those settings ntlmv1 is blocked except for mschapv2, and it's
>> nicely visible in samba auth_audit log.
>>
>> I also tried password change with ntlm_auth (for expired password at
>> logon via FR) and it works fine too, with added --allow-mschapv2.
>>
>> I completely missed ntlm_auth option --allow-mschapv2!
>> Thank You for pointing it out.
>>
> If you can let us know just what you changed to get it working, I will
> put something on the Samba wiki.
>
> Rowland
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I see it's more about freeradius than samba at this point, so I'm not
very comfortable writing on samba list about this topic (if it's
inapropriate, someone please tell me), but to share my experience:
passchange was tested on windows 7/10 joined to the samba AD domain
since that's in my case the obvious mschpav2 client. I had simply tried
logging as users with "password has to be changed on the next logon".
I
tried it with wireless (eap-peap) and 802.1x for wired (eap-peap).
Enabling password change with mschpav2 for freeradius requires also
setting in /mods-available/eap in mschapv2 section:
mschapv2 {
send_error = yes
I tested it strictly with windows computers, so I believe it's really
dependent on what is trying to authenticate. For windows (7 and above
tested) You have to also set via GPO or manually 802.1x authentication
settings, one of them is to allow for extra windows during logon
process. If it is setup, than You will get, as a user with expired
password, prompt to change Your password (typical: old password - new
password - retype new password). And it works in this setup (samba 4.7.6
DC, freeradius with 4.6.2 samba as domain member, with setting on samba
DC ntlm auth = mschpav2-and-ntlmv2-only).
Basically, from what i understand, there are certain errors that can
happen during mschapv2 authorization, one of them is "password is
correct but expired" and with proper settings it's possible to allow
connecting client to change password. I never bothered looking up, what
else, except for windows clients can benefit from the password change,
so I can't help You more than this.
W dniu 28.03.2018 o 08:18, Dr. Peer-Joachim Koch via samba
pisze:> Hi,
>
> thank you very much for testing everything out. Great work!
>
> One question: passchange - which application are working with
> passchange on radius ?
> In the moment every user with an expired password is NOT able to use
> services using radius
> for authentication (WLAN,VPN). Is there any documentation available ?
>
> Bye, Peer
>
> On 27.03.2018 22:40, Kacper Wirski via samba wrote:
>> Hello,
>>
>> I can definately confirm that it's working.
>>
>> My basic setup is:
>>
>> 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7
>>
>> 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages
>> straight from centos repo. // I tested also on freeradius 3.0.14 and
>> samba 4.7.x
>>
>> smb.conf on the DC is pretty basic, most important is obviously in
>> [globall]:
>>
>> ntlm auth = mschapv2-and-ntlmv2-only
>>
>> On server with freeradius + samba 4.6.2:
>>
>> machine is added to AD using samba with net ads join.
>>
>> Most important configuration to make mschapv2 only with ntlmv1
>> overall disabled (except for mschapv2) is setting in freeradius in
>> /mods-available/mschap:
>>
>> mschap {
>>
>> .....
>>
>> ntlm_auth = "/path/to/ntlm_auth *--allow-mschapv2*
--request-nt-key
>> --username=%{mschap:User-Name} --domain=WINDOWSDOMAIN
>> --challenge=%{%{mschap:Challenge}:-00}
>> --nt-response=%{%{mschap:NT-Response}:-00}"
>>
>> OR (if your Freeradius supports it)
>>
>> winbind_username = "%{%{mschap:User-Name}:-00}"
>> winbind_domain = "WINDOWSDOMAIN"
>>
>> The former works just fine, the latter requires freeradius to be
>> built with winbind auth, for example for centos i had to rebuild rpm
>> and add to ./configure path to winbind libraries.
>>
>> That's all that's needed to change from the
"standard", well
>> documented freeradius/AD integration for the integration.
>>
>> If there are going to be password changes with freeradius ("your
>> password has expired" - type - scenarios) You should probably also
>> configure in /mods-available/mschap additionaly:
>>
>> passchange {
>> ntlm_auth = "/path/to/ntlm_auth
>> --helper-protocol=ntlm-change-password-1 *--allow-mschapv2*"
>> ntlm_auth_username = "username:
%{mschap:User-Name}"
>> ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN"
>>
>> I'm saying "should probably configure" because with the
settings as
>> above it works just fine, so even it's unnecessary, it doesn't
break
>> anything, and unfortunately I was unable to test if it works (I doubt
>> it) without this option while denying ntlmv1 overall on ad dc.
>>
>> If everything works as intented, in the AD DC audit log You will see
>> something like this:
>> {"timestamp": "some-date0", "type":
"Authentication",
>> "Authentication": {"version": {"major":
1, "minor": 0}, "status":
>> "NT_STATUS_OK", "localAddress":
"ipv4:xxx.xxx.xxx.xxx",
>> "remoteAddress": "ipv4:xxx.xxx.xxx.xxx:58046",
"serviceDescription":
>> "SamLogon", "authDescription": "network",
"clientDomain":
>> "WINDOWSDOMAIN", "clientAccount":
"some-user", "workstation":
>> "\\\\SOME-HOST", "becameAccount":
"some-user", "becameDomain":
>> "WINDOWSDOMAIN", "becameSid": "SOME-SID",
"mappedAccount":
>> "some-user", "mappedDomain":
"WINDOWSDOMAIN", "netlogonComputer":
>> "SOME-HOST", "netlogonTrustAccount":
"SOME-HOST$",
>> "netlogonNegotiateFlags": "0x610FFFFF",
"netlogonSecureChannelType":
>> 2, "netlogonTrustAccountSid": "somesid,
*"passwordType": "MSCHAPv2"*}}
>>
>> Without "--allow-mschapv2" You would see
"passwordType":"NTLMv1".
>>
>> Also I have no idea when ntlm_auth --allow-mschapv2 option was added?
>>
>> W dniu 27.03.2018 o 10:06, Rowland Penny via samba pisze:
>>> On Tue, 27 Mar 2018 09:36:42 +0200
>>> "k.wirski via samba" <samba at lists.samba.org>
wrote:
>>>
>>>> ok, tested it, and it works.
>>>>
>>>> so to summarize:
>>>> on samba ad 4.7.x in smb.conf "ntlm auth" is set to
>>>> "mschapv2-and-ntlmv2-only" fr + samba domain member
(4.6 and 4.7) in
>>>> mods-available/mschap you have to add to ntlm_auth
--allow-mschapv2
>>>> to the whole string OR just use winbind method, which sets
correct
>>>> flag without explicitly adding it.
>>> Not sure it will work with 4.6 as it doesn't have the required
>>> 'mschapv2-and-ntlmv2-only' option for 'ntlm auth'
>>>
>>>> with those settings ntlmv1 is blocked except for mschapv2, and
it's
>>>> nicely visible in samba auth_audit log.
>>>>
>>>> I also tried password change with ntlm_auth (for expired
password at
>>>> logon via FR) and it works fine too, with added
--allow-mschapv2.
>>>>
>>>> I completely missed ntlm_auth option --allow-mschapv2!
>>>> Thank You for pointing it out.
>>>>
>>> If you can let us know just what you changed to get it working, I
will
>>> put something on the Samba wiki.
>>>
>>> Rowland
>>>
>>
>
>
>