L.P.H. van Belle
2019-Aug-30 10:11 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
Hai, It does not happen often but yes, i also need some help as i cant know everything also and im new with freeradius. Im working on a configuration for samba member + freeradius with ntlm_auth. Why ntlm_auth, because the next one is kerberos and ldap auth to configure.. I want to have some fallback options here and you have to start somewhere. This is running on my new proxy/gateway server, which also uses ntlm_auth and that works fine. Now, basicly this looks simple and should be but im missing something. so what im i doing, im following http://deployingradius.com/ Followed these steps, that works out fine. Then we goto : http://deployingradius.com/documents/configuration/active_directory.html for smb.conf i use the config i always us, pretty basic + i added (ass noted on the site) : ntlm auth = mschapv2-and-ntlmv2-only And offcourse i joined this server to the domain. Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP And i just can not get this to work. What i notice. (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (0) mschap: --> --username=obell (0) mschap: mschap1: d4 (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (0) mschap: --> --challenge=changedChallenge (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (0) mschap: --> --nt-response=ChangedResponce (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject What is not clear here to me is . I test : radtest -t mschap myusername 'MyPass!' localhost 0 testing123-1 Responce: (1) mschap: Client is using MS-CHAPv1 with NT-Password Then im thinking why chap-v1. Im thinking im sending with : --allow-mschapv2 << mschap V2 ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \ --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \ --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \ --nt-response=%{%{mschap:NT-Response}:-00}" In the end all tests result in : (4) MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2" Testing with : ntlm_auth --allow-mschapv2 --username=myusername --challenge=0x.... --nt-response=0xx... Returns : The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) So if someone has an idea whats going on/where to look? Its most probely something simple what i not seeing.. I did add freerad user to winbindd_priv group also. I also tried this setup: https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind Which looks a better way to do, but same results. Im very gratefull on could help me out here of has ideas on best way to debug this. Or is someone has a samba 4.9+ working with freeradius and if you could share you config, i can better look whats off. Thanks! Greetz, Louis
Christian Naumer
2019-Aug-30 10:53 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
We have this running but on a DC (Samba 4.10.7). we have this line in /etc/raddb/mods-enabled/mschap. Only this line! DOMAIN is the actual netbio name of the domain. ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name:-None} --domain=DOMAIN --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Do you users login in with DOMAIN\user or just user? Ours do both. Freeradius version on our side is 3.0.13. Regards Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba:> Hai, > > It does not happen often but yes, i also need some help as i cant know everything also and im new with freeradius. > > Im working on a configuration for samba member + freeradius with ntlm_auth. > Why ntlm_auth, because the next one is kerberos and ldap auth to configure.. > I want to have some fallback options here and you have to start somewhere. > > This is running on my new proxy/gateway server, which also uses ntlm_auth and that works fine. > > Now, basicly this looks simple and should be but im missing something. > so what im i doing, im following http://deployingradius.com/ > Followed these steps, that works out fine. > Then we goto : http://deployingradius.com/documents/configuration/active_directory.html > > for smb.conf i use the config i always us, pretty basic + i added (ass noted on the site) : > ntlm auth = mschapv2-and-ntlmv2-only > > And offcourse i joined this server to the domain. > > Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP > And i just can not get this to work. > > What i notice. > > (0) Found Auth-Type = mschap > (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default > (0) authenticate { > (0) mschap: Client is using MS-CHAPv1 with NT-Password > (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: > (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} > (0) mschap: --> --username=obell > (0) mschap: mschap1: d4 > (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} > (0) mschap: --> --challenge=changedChallenge > (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} > (0) mschap: --> --nt-response=ChangedResponce > (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' > (0) mschap: External script failed > (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) > (0) mschap: ERROR: MS-CHAP2-Response is incorrect > (0) [mschap] = reject > > What is not clear here to me is . > > I test : radtest -t mschap myusername 'MyPass!' localhost 0 testing123-1 > > Responce: > (1) mschap: Client is using MS-CHAPv1 with NT-Password > Then im thinking why chap-v1. > > Im thinking im sending with : --allow-mschapv2 << mschap V2 > > ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \ > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \ > --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \ > --nt-response=%{%{mschap:NT-Response}:-00}" > > In the end all tests result in : > > (4) MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2" > > Testing with : > ntlm_auth --allow-mschapv2 --username=myusername --challenge=0x.... --nt-response=0xx... > Returns : The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) > > So if someone has an idea whats going on/where to look? > Its most probely something simple what i not seeing.. > > I did add freerad user to winbindd_priv group also. > I also tried this setup: > https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind > Which looks a better way to do, but same results. > > > Im very gratefull on could help me out here of has ideas on best way to debug this. > Or is someone has a samba 4.9+ working with freeradius and if you could share you config, i can better look whats off. > > Thanks! > > > Greetz, > > Louis > > >-- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Rowland penny
2019-Aug-30 11:08 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
On 30/08/2019 11:53, Christian Naumer via samba wrote:> We have this running but on a DC (Samba 4.10.7). > > we have this line in /etc/raddb/mods-enabled/mschap. Only this line! > DOMAIN is the actual netbio name of the domain. > > > ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key > --username=%{mschap:User-Name:-None} --domain=DOMAIN > --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" > > > Do you users login in with DOMAIN\user or just user? Ours do both. > > Freeradius version on our side is 3.0.13. > > Regards > > > > Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba: >> Hai, >> >> It does not happen often but yes, i also need some help as i cant know everything also and im new with freeradius. >> >> Im working on a configuration for samba member + freeradius with ntlm_auth. >> Why ntlm_auth, because the next one is kerberos and ldap auth to configure.. >> I want to have some fallback options here and you have to start somewhere. >> >> This is running on my new proxy/gateway server, which also uses ntlm_auth and that works fine. >> >> Now, basicly this looks simple and should be but im missing something. >> so what im i doing, im following http://deployingradius.com/ >> Followed these steps, that works out fine. >> Then we goto : http://deployingradius.com/documents/configuration/active_directory.html >> >> for smb.conf i use the config i always us, pretty basic + i added (ass noted on the site) : >> ntlm auth = mschapv2-and-ntlmv2-only >> >> And offcourse i joined this server to the domain. >> >> Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP >> And i just can not get this to work. >> >> What i notice. >> >> (0) Found Auth-Type = mschap >> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default >> (0) authenticate { >> (0) mschap: Client is using MS-CHAPv1 with NT-Password >> (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: >> (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} >> (0) mschap: --> --username=obell >> (0) mschap: mschap1: d4 >> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} >> (0) mschap: --> --challenge=changedChallenge >> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} >> (0) mschap: --> --nt-response=ChangedResponce >> (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' >> (0) mschap: External script failed >> (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) >> (0) mschap: ERROR: MS-CHAP2-Response is incorrect >> (0) [mschap] = reject >> >> What is not clear here to me is . >> >> I test : radtest -t mschap myusername 'MyPass!' localhost 0 testing123-1 >> >> Responce: >> (1) mschap: Client is using MS-CHAPv1 with NT-Password >> Then im thinking why chap-v1. >> >> Im thinking im sending with : --allow-mschapv2 << mschap V2 >> >> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \ >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \ >> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \ >> --nt-response=%{%{mschap:NT-Response}:-00}" >> >> In the end all tests result in : >> >> (4) MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2" >> >> Testing with : >> ntlm_auth --allow-mschapv2 --username=myusername --challenge=0x.... --nt-response=0xx... >> Returns : The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) >> >> So if someone has an idea whats going on/where to look? >> Its most probely something simple what i not seeing.. >> >> I did add freerad user to winbindd_priv group also. >> I also tried this setup: >> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind >> Which looks a better way to do, but same results. >> >> >> Im very gratefull on could help me out here of has ideas on best way to debug this. >> Or is someone has a samba 4.9+ working with freeradius and if you could share you config, i can better look whats off. >> >> Thanks! >> >> >> Greetz, >> >> Louis >> >> >>Sheesh, it is a bit much when even Samba team members do not read the Samba wiki ;-) https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory Of course, this does raise the problem of what is freeradius going to do when SMBv1 entirely disappears ? Rowland
L.P.H. van Belle
2019-Aug-30 11:09 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
Guys, Christian, Marco, Thank you very much. Marco, you have the best internal wiki :-) Very very usefull. Whooe.. Most is working atm. And as always the solution was so simpel.. I forgot... To .. Add... ntlm auth = mschapv2-and-ntlmv2-only To the DC's smb.conf. :-/ pretty stupid.. But. So far, it looks good. I've tested now. radtest -t mschap username 'passwd' localhost 0 testing radtest -t mschap username at REALM 'passwd' localhost 0 testing These 2 work, thanks for that guys. Now Christian, this failes for me. radtest -t mschap 'NTDOM\username" 'passwd' localhost 0 testing ( MS-CHAP-Error = "\000E=691 R=1 C=58f41f1a946ac94a V=2") So my question here is, are the username at REALM logins also working for you. And are you using in smb.conf : winbind use default domain = yes But guys, sofar, im going very happy towards the weekend.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Christian Naumer via samba > Verzonden: vrijdag 30 augustus 2019 12:53 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4.10.7 + freeradius 3.0.17 > +ntlm_auth - Debian buster > > We have this running but on a DC (Samba 4.10.7). > > we have this line in /etc/raddb/mods-enabled/mschap. Only this line! > DOMAIN is the actual netbio name of the domain. > > > ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key > --username=%{mschap:User-Name:-None} --domain=DOMAIN > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > > > Do you users login in with DOMAIN\user or just user? Ours do both. > > Freeradius version on our side is 3.0.13. > > Regards > > > > Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba: > > Hai, > > > > It does not happen often but yes, i also need some help as > i cant know everything also and im new with freeradius. > > > > Im working on a configuration for samba member + freeradius > with ntlm_auth. > > Why ntlm_auth, because the next one is kerberos and ldap > auth to configure.. > > I want to have some fallback options here and you have to > start somewhere. > > > > This is running on my new proxy/gateway server, which also > uses ntlm_auth and that works fine. > > > > Now, basicly this looks simple and should be but im missing > something. > > so what im i doing, im following http://deployingradius.com/ > > Followed these steps, that works out fine. > > Then we goto : > http://deployingradius.com/documents/configuration/active_dire > ctory.html > > > > for smb.conf i use the config i always us, pretty basic + i > added (ass noted on the site) : > > ntlm auth = mschapv2-and-ntlmv2-only > > > > And offcourse i joined this server to the domain. > > > > Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP > > And i just can not get this to work. > > > > What i notice. > > > > (0) Found Auth-Type = mschap > > (0) # Executing group from file > /etc/freeradius/3.0/sites-enabled/default > > (0) authenticate { > > (0) mschap: Client is using MS-CHAPv1 with NT-Password > > (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 > --request-nt-key > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} > --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} > --nt-response=%{%{mschap:NT-Response}:-00}: > > (0) mschap: EXPAND > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} > > (0) mschap: --> --username=obell > > (0) mschap: mschap1: d4 > > (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} > > (0) mschap: --> --challenge=changedChallenge > > (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} > > (0) mschap: --> --nt-response=ChangedResponce > > (0) mschap: ERROR: Program returned code (1) and output > 'The attempted logon is invalid. This is either due to a bad > username or authentication information. (0xc000006d)' > > (0) mschap: External script failed > > (0) mschap: ERROR: External script says: The attempted > logon is invalid. This is either due to a bad username or > authentication information. (0xc000006d) > > (0) mschap: ERROR: MS-CHAP2-Response is incorrect > > (0) [mschap] = reject > > > > What is not clear here to me is . > > > > I test : radtest -t mschap myusername 'MyPass!' localhost > 0 testing123-1 > > > > Responce: > > (1) mschap: Client is using MS-CHAPv1 with NT-Password > > Then im thinking why chap-v1. > > > > Im thinking im sending with : --allow-mschapv2 << mschap V2 > > > > ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \ > > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \ > > --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \ > > --nt-response=%{%{mschap:NT-Response}:-00}" > > > > In the end all tests result in : > > > > (4) MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2" > > > > Testing with : > > ntlm_auth --allow-mschapv2 --username=myusername > --challenge=0x.... --nt-response=0xx... > > Returns : The attempted logon is invalid. This is either > due to a bad username or authentication information. (0xc000006d) > > > > So if someone has an idea whats going on/where to look? > > Its most probely something simple what i not seeing.. > > > > I did add freerad user to winbindd_priv group also. > > I also tried this setup: > > > https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind > > Which looks a better way to do, but same results. > > > > > > Im very gratefull on could help me out here of has ideas on > best way to debug this. > > Or is someone has a samba 4.9+ working with freeradius and > if you could share you config, i can better look whats off. > > > > Thanks! > > > > > > Greetz, > > > > Louis > > > > > > > > -- > Dr. Christian Naumer > Unit Head Bioprocess Development > B.R.A.I.N Aktiengesellschaft > Darmstaedter Str. 34-36, D-64673 Zwingenberg > e-mail cn at brain-biotech.com, homepage www.brain-biotech.com > fon +49-6251-9331-30 / fax +49-6251-9331-11 > > Sitz der Gesellschaft: Zwingenberg/Bergstrasse > Registergericht AG Darmstadt, HRB 24758 > Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, > Ludger Roedder > Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
L.P.H. van Belle
2019-Aug-30 11:25 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
Hee Rowland.. Tss.. Ow yes, i did read all the wiki's.. And ofcourse the samba was the first i did read. I started here. https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD Then the other Samba freeradius ( you showed), then .. Debian's ubuntu's and more howto's.. Then i got lost, in the maze of incorrect wikis/howtos.. Ive updated the samba wiki. Was: On the Samba 4.6.2 Freeradius server: New: On the Samba 4.6.2 Freeradius server and on all the Samba AD-DC's: And now clear to everyone. ;-)> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: vrijdag 30 augustus 2019 13:09 > Sheesh, it is a bit much when even Samba team members do not read the > Samba wiki ;-) > > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory > > Of course, this does raise the problem of what is freeradius > going to do when SMBv1 entirely disappears ?Well, thats why im now going to configure kerberos auth and ldap. I want the same fallback order as in my squid proxy. Which will result in : kerberos -> ntlm -> ldap ;-) Greetz, Louis
Christian Naumer
2019-Aug-30 11:32 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
Am 30.08.19 um 13:09 schrieb L.P.H. van Belle via samba:> Now Christian, this failes for me. > radtest -t mschap 'NTDOM\username" 'passwd' localhost 0 testing > ( MS-CHAP-Error = "\000E=691 R=1 C=58f41f1a946ac94a V=2") > > So my question here is, are the username at REALM logins also working for you. > And are you using in smb.conf : winbind use default domain = yesusername at REALM does not work. However we do not use this. And as it runs on the DC "winbind use default domain = yes " is the default.> > But guys, sofar, im going very happy towards the weekend.. > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Christian Naumer via samba >> Verzonden: vrijdag 30 augustus 2019 12:53 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Samba 4.10.7 + freeradius 3.0.17 >> +ntlm_auth - Debian buster >> >> We have this running but on a DC (Samba 4.10.7). >> >> we have this line in /etc/raddb/mods-enabled/mschap. Only this line! >> DOMAIN is the actual netbio name of the domain. >> >> >> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key >> --username=%{mschap:User-Name:-None} --domain=DOMAIN >> --challenge=%{mschap:Challenge:-00} >> --nt-response=%{mschap:NT-Response:-00}" >> >> >> Do you users login in with DOMAIN\user or just user? Ours do both. >> >> Freeradius version on our side is 3.0.13. >> >> Regards >> >> >> >> Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba: >>> Hai, >>> >>> It does not happen often but yes, i also need some help as >> i cant know everything also and im new with freeradius. >>> >>> Im working on a configuration for samba member + freeradius >> with ntlm_auth. >>> Why ntlm_auth, because the next one is kerberos and ldap >> auth to configure.. >>> I want to have some fallback options here and you have to >> start somewhere. >>> >>> This is running on my new proxy/gateway server, which also >> uses ntlm_auth and that works fine. >>> >>> Now, basicly this looks simple and should be but im missing >> something. >>> so what im i doing, im following http://deployingradius.com/ >>> Followed these steps, that works out fine. >>> Then we goto : >> http://deployingradius.com/documents/configuration/active_dire >> ctory.html >>> >>> for smb.conf i use the config i always us, pretty basic + i >> added (ass noted on the site) : >>> ntlm auth = mschapv2-and-ntlmv2-only >>> >>> And offcourse i joined this server to the domain. >>> >>> Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP >>> And i just can not get this to work. >>> >>> What i notice. >>> >>> (0) Found Auth-Type = mschap >>> (0) # Executing group from file >> /etc/freeradius/3.0/sites-enabled/default >>> (0) authenticate { >>> (0) mschap: Client is using MS-CHAPv1 with NT-Password >>> (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 >> --request-nt-key >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} >> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} >> --nt-response=%{%{mschap:NT-Response}:-00}: >>> (0) mschap: EXPAND >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} >>> (0) mschap: --> --username=obell >>> (0) mschap: mschap1: d4 >>> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} >>> (0) mschap: --> --challenge=changedChallenge >>> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} >>> (0) mschap: --> --nt-response=ChangedResponce >>> (0) mschap: ERROR: Program returned code (1) and output >> 'The attempted logon is invalid. This is either due to a bad >> username or authentication information. (0xc000006d)' >>> (0) mschap: External script failed >>> (0) mschap: ERROR: External script says: The attempted >> logon is invalid. This is either due to a bad username or >> authentication information. (0xc000006d) >>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect >>> (0) [mschap] = reject >>> >>> What is not clear here to me is . >>> >>> I test : radtest -t mschap myusername 'MyPass!' localhost >> 0 testing123-1 >>> >>> Responce: >>> (1) mschap: Client is using MS-CHAPv1 with NT-Password >>> Then im thinking why chap-v1. >>> >>> Im thinking im sending with : --allow-mschapv2 << mschap V2 >>> >>> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key \ >>> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \ >>> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \ >>> --nt-response=%{%{mschap:NT-Response}:-00}" >>> >>> In the end all tests result in : >>> >>> (4) MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2" >>> >>> Testing with : >>> ntlm_auth --allow-mschapv2 --username=myusername >> --challenge=0x.... --nt-response=0xx... >>> Returns : The attempted logon is invalid. This is either >> due to a bad username or authentication information. (0xc000006d) >>> >>> So if someone has an idea whats going on/where to look? >>> Its most probely something simple what i not seeing.. >>> >>> I did add freerad user to winbindd_priv group also. >>> I also tried this setup: >>> >> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind >>> Which looks a better way to do, but same results. >>> >>> >>> Im very gratefull on could help me out here of has ideas on >> best way to debug this. >>> Or is someone has a samba 4.9+ working with freeradius and >> if you could share you config, i can better look whats off. >>> >>> Thanks! >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >> >> -- >> Dr. Christian Naumer >> Unit Head Bioprocess Development >> B.R.A.I.N Aktiengesellschaft >> Darmstaedter Str. 34-36, D-64673 Zwingenberg >> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com >> fon +49-6251-9331-30 / fax +49-6251-9331-11 >> >> Sitz der Gesellschaft: Zwingenberg/Bergstrasse >> Registergericht AG Darmstadt, HRB 24758 >> Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, >> Ludger Roedder >> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >-- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
L.P.H. van Belle
2019-Aug-30 11:56 UTC
[Samba] Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
Ok, so resume of the working info you guys gave me. If running freeradius on AD-DC. where : winbind use default domain = yes is not working on AD-DC, its always no. See output of wbinfo -u You can login with : username or NTDOM\username. test : radtest -t mschap 'NTDOM\username' 'password' localhost 0 testing123 test : radtest -t mschap 'username' 'password' localhost 0 testing123 If running freeradius on AD-Member where : winbind use default domain = yes is working. See output of wbinfo -u You can login with : username or username at REALM test : radtest -t mschap 'username' 'password' localhost 0 testing123 test : radtest -t mschap 'username at REALM' 'password' localhost 0 testing123 Do note on the REALM. I notice, and maybe a few here can verify this. If realm is set as : [libdefaults] default_realm = internal.domain.tld Trying to login with : username at INTERNAL.DOMAIN.TLD does not work. You must match CAPS/non-caps in REALM. And : ntlm auth = mschapv2-and-ntlmv2-only must be set on all servers where its needed. The member and ALL the AD-DC's. Respect this and then "it just works" :-) So far, Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Christian Naumer via samba > Verzonden: vrijdag 30 augustus 2019 13:32 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4.10.7 + freeradius 3.0.17 > +ntlm_auth - Debian buster > > Am 30.08.19 um 13:09 schrieb L.P.H. van Belle via samba: > > > Now Christian, this failes for me. > > radtest -t mschap 'NTDOM\username" 'passwd' localhost 0 testing > > ( MS-CHAP-Error = "\000E=691 R=1 C=58f41f1a946ac94a V=2") > > > > So my question here is, are the username at REALM logins also > working for you. > > And are you using in smb.conf : winbind use default domain = yes > > username at REALM does not work. However we do not use this. > And as it runs on the DC "winbind use default domain = yes " > is the default. > > > > > > > > But guys, sofar, im going very happy towards the weekend.. > > > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Christian Naumer via samba > >> Verzonden: vrijdag 30 augustus 2019 12:53 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Samba 4.10.7 + freeradius 3.0.17 > >> +ntlm_auth - Debian buster > >> > >> We have this running but on a DC (Samba 4.10.7). > >> > >> we have this line in /etc/raddb/mods-enabled/mschap. Only > this line! > >> DOMAIN is the actual netbio name of the domain. > >> > >> > >> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key > >> --username=%{mschap:User-Name:-None} --domain=DOMAIN > >> --challenge=%{mschap:Challenge:-00} > >> --nt-response=%{mschap:NT-Response:-00}" > >> > >> > >> Do you users login in with DOMAIN\user or just user? Ours do both. > >> > >> Freeradius version on our side is 3.0.13. > >> > >> Regards > >> > >> > >> > >> Am 30.08.19 um 12:11 schrieb L.P.H. van Belle via samba: > >>> Hai, > >>> > >>> It does not happen often but yes, i also need some help as > >> i cant know everything also and im new with freeradius. > >>> > >>> Im working on a configuration for samba member + freeradius > >> with ntlm_auth. > >>> Why ntlm_auth, because the next one is kerberos and ldap > >> auth to configure.. > >>> I want to have some fallback options here and you have to > >> start somewhere. > >>> > >>> This is running on my new proxy/gateway server, which also > >> uses ntlm_auth and that works fine. > >>> > >>> Now, basicly this looks simple and should be but im missing > >> something. > >>> so what im i doing, im following http://deployingradius.com/ > >>> Followed these steps, that works out fine. > >>> Then we goto : > >> http://deployingradius.com/documents/configuration/active_dire > >> ctory.html > >>> > >>> for smb.conf i use the config i always us, pretty basic + i > >> added (ass noted on the site) : > >>> ntlm auth = mschapv2-and-ntlmv2-only > >>> > >>> And offcourse i joined this server to the domain. > >>> > >>> Now im at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP > >>> And i just can not get this to work. > >>> > >>> What i notice. > >>> > >>> (0) Found Auth-Type = mschap > >>> (0) # Executing group from file > >> /etc/freeradius/3.0/sites-enabled/default > >>> (0) authenticate { > >>> (0) mschap: Client is using MS-CHAPv1 with NT-Password > >>> (0) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 > >> --request-nt-key > >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} > >> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} > >> --nt-response=%{%{mschap:NT-Response}:-00}: > >>> (0) mschap: EXPAND > >> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} > >>> (0) mschap: --> --username=obell > >>> (0) mschap: mschap1: d4 > >>> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} > >>> (0) mschap: --> --challenge=changedChallenge > >>> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} > >>> (0) mschap: --> --nt-response=ChangedResponce > >>> (0) mschap: ERROR: Program returned code (1) and output > >> 'The attempted logon is invalid. This is either due to a bad > >> username or authentication information. (0xc000006d)' > >>> (0) mschap: External script failed > >>> (0) mschap: ERROR: External script says: The attempted > >> logon is invalid. This is either due to a bad username or > >> authentication information. (0xc000006d) > >>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect > >>> (0) [mschap] = reject > >>> > >>> What is not clear here to me is . > >>> > >>> I test : radtest -t mschap myusername 'MyPass!' localhost > >> 0 testing123-1 > >>> > >>> Responce: > >>> (1) mschap: Client is using MS-CHAPv1 with NT-Password > >>> Then im thinking why chap-v1. > >>> > >>> Im thinking im sending with : --allow-mschapv2 << mschap V2 > >>> > >>> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 > --request-nt-key \ > >>> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} \ > >>> --domain=NTDOM --challenge=%{%{mschap:Challenge}:-00} \ > >>> --nt-response=%{%{mschap:NT-Response}:-00}" > >>> > >>> In the end all tests result in : > >>> > >>> (4) MS-CHAP-Error = "\000E=691 R=1 C=877c690dc4020be0 V=2" > >>> > >>> Testing with : > >>> ntlm_auth --allow-mschapv2 --username=myusername > >> --challenge=0x.... --nt-response=0xx... > >>> Returns : The attempted logon is invalid. This is either > >> due to a bad username or authentication information. (0xc000006d) > >>> > >>> So if someone has an idea whats going on/where to look? > >>> Its most probely something simple what i not seeing.. > >>> > >>> I did add freerad user to winbindd_priv group also. > >>> I also tried this setup: > >>> > >> > https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind > >>> Which looks a better way to do, but same results. > >>> > >>> > >>> Im very gratefull on could help me out here of has ideas on > >> best way to debug this. > >>> Or is someone has a samba 4.9+ working with freeradius and > >> if you could share you config, i can better look whats off. > >>> > >>> Thanks! > >>> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>> > >>> > >> > >> -- > >> Dr. Christian Naumer > >> Unit Head Bioprocess Development > >> B.R.A.I.N Aktiengesellschaft > >> Darmstaedter Str. 34-36, D-64673 Zwingenberg > >> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com > >> fon +49-6251-9331-30 / fax +49-6251-9331-11 > >> > >> Sitz der Gesellschaft: Zwingenberg/Bergstrasse > >> Registergericht AG Darmstadt, HRB 24758 > >> Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, > >> Ludger Roedder > >> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > Dr. Christian Naumer > Unit Head Bioprocess Development > B.R.A.I.N Aktiengesellschaft > Darmstaedter Str. 34-36, D-64673 Zwingenberg > e-mail cn at brain-biotech.com, homepage www.brain-biotech.com > fon +49-6251-9331-30 / fax +49-6251-9331-11 > > Sitz der Gesellschaft: Zwingenberg/Bergstrasse > Registergericht AG Darmstadt, HRB 24758 > Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, > Ludger Roedder > Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >