Hi there,
I'm trying to get FreeRADIUS to authenticate against my Samba DC. It's
Samba 4.7.6-ubuntu running on Ubuntu 18 (kernel version
4.15.0-66-generic). It came nicely packaged with Zentyal, which provides
a nice GUI for managing a domain, as well as a CA and lots of cool small
features. That same Zentyal also includes support for FreeRADIUS (3.0.16).
This is my smb.conf:
[global]
??? workgroup = company
??? realm = INTERNAL.COMPANY.COM
??? netbios name = dc
??? server string = Zentyal Server
??? server role = dc
??? server role check:inhibit = yes
??? server services = -dns
??? server signing = auto
??? dsdb:schema update allowed = yes
??? ldap server require strong auth = no
??? drs:max object sync = 1200
??? ntlm auth = yes
??? idmap_ldb:use rfc2307 = yes
??? winbind enum users = yes
??? winbind enum groups = yes
??? template shell = /bin/bash
??? template homedir = /home/%U
??? tls enabled? = yes
??? tls keyfile? = /var/lib/zentyal/conf/ssl/ssl.pem
??? tls certfile = /var/lib/zentyal/conf/ssl/ssl.pem
??? tls cafile??
??? interfaces = lo,ens3,ens9
??? bind interfaces only = yes
??? map to guest = Bad User
??? log level = 3
??? log file = /var/log/samba/samba.log
??? max log size = 100000
??? include = /etc/samba/shares.conf
[netlogon]
??? path = /var/lib/samba/sysvol/internal.company.com/scripts
??? browseable = no
??? read only = yes
[sysvol]
??? path = /var/lib/samba/sysvol
??? read only = no
When I run the following, I get no problems whatsoever:
radtest domainuser userpassword localhost 0 secret123
(To those who are not familiar, radtest is a tool for testing
authentication on FreeRADIUS)
Also when I run the following:
ntlm_auth --request-nt-key --domain=COMPANY --username=domainuser
--password=userpassword
NT_STATUS_OK: The operation completed successfully. (0x0)
Same with wbinfo -a domainuser%userpassword. In both of these commands
NTLMv2 is being used.
However, if I try to run the following, I get an error:
radtest -t mschap domainuser userpassword localhost 0 secret123
This is what I see in my /var/log/samba/log.wb-COMPANY:
[2019/11/06 15:27:32.944109,? 3]
../source3/winbindd/winbindd_pam.c:2138(winbindd_dual_pam_auth_crap)
? [ 3096]: pam auth crap domain: COMPANY user: domainuser
[2019/11/06 15:27:32.944307,? 3]
../source3/auth/auth.c:189(auth_check_ntlm_password)
? check_ntlm_password:? Checking password for unmapped user
[COMPANY]\[domainuser]@[DC1] with the new password interface
[2019/11/06 15:27:32.944345,? 3]
../source3/auth/auth.c:192(auth_check_ntlm_password)
? check_ntlm_password:? mapped user is: [COMPANY]\[domainuser]@[DC1]
[2019/11/06 15:27:32.950761,? 3]
../source4/auth/ntlm/auth.c:240(auth_check_password_send)
? auth_check_password_send: Checking password for unmapped user
[COMPANY]\[domainuser]@[DC1]
? auth_check_password_send: user is: [COMPANY]\[domainuser]@[DC1]
[2019/11/06 15:27:32.952257,? 2]
../libcli/auth/ntlm_check.c:430(ntlm_password_check)
? ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user domainuser
[2019/11/06 15:27:32.952306,? 3]
../libcli/auth/ntlm_check.c:437(ntlm_password_check)
? ntlm_password_check: NEITHER LanMan nor NT password supplied for user
domainuser
[2019/11/06 15:27:32.953703,? 2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
? auth_check_password_recv: sam authentication for user
[COMPANY\domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD,
authoritative=1
[2019/11/06 15:27:32.953814,? 2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
? Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov
2019 15:27:32.953792 CET] with [NTLMv1] status
[NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host
[ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host
[ipv4:127.0.0.1:0]
[2019/11/06 15:27:32.954029,? 2] ../auth/auth_log.c:220(log_json)
? JSON Authentication: {"timestamp":
"2019-11-06T15:27:32.953861+0100",
"type": "Authentication", "Authentication":
{"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD",
"localAddress":
"ipv4:127.0.0.1:0", "remoteAddress":
"ipv4:127.0.0.1:0",
"serviceDescription": "winbind",
"authDescription": null,
"clientDomain": "COMPANY", "clientAccount":
"domainuser", "workstation":
"DC1", "becameAccount": null, "becameDomain":
null, "becameSid": "(NULL
SID)", "mappedAccount": "domainuser",
"mappedDomain": "COMPANY",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": "(NULL SID)",
"passwordType": "NTLMv1"}}
[2019/11/06 15:27:32.954130,? 3]
../auth/auth_log.c:139(get_auth_event_server)
? get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2019/11/06 15:27:32.954240,? 2]
../source3/auth/auth.c:332(auth_check_ntlm_password)
? check_ntlm_password:? Authentication for user [domainuser] ->
[domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2019/11/06 15:27:32.954311,? 2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
? Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov
2019 15:27:32.954299 CET] with [NTLMv1] status
[NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host
[ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host
[ipv4:127.0.0.1:0]
[2019/11/06 15:27:32.954380,? 2] ../auth/auth_log.c:220(log_json)
? JSON Authentication: {"timestamp":
"2019-11-06T15:27:32.954338+0100",
"type": "Authentication", "Authentication":
{"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD",
"localAddress":
"ipv4:127.0.0.1:0", "remoteAddress":
"ipv4:127.0.0.1:0",
"serviceDescription": "winbind",
"authDescription": null,
"clientDomain": "COMPANY", "clientAccount":
"domainuser", "workstation":
"DC1", "becameAccount": null, "becameDomain":
null, "becameSid": "(NULL
SID)", "mappedAccount": "domainuser",
"mappedDomain": "COMPANY",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": "(NULL SID)",
"passwordType": "NTLMv1"}}
[2019/11/06 15:27:32.954479,? 2]
../source3/winbindd/winbindd_pam.c:2108(winbind_dual_SamLogon)
? NTLM CRAP authentication for user [COMPANY]\[domainuser] returned
NT_STATUS_WRONG_PASSWORD
The user freerad is added to the winbindd_priv group, and I've also
tried setting ntlm auth = mschapv2-and-ntlmv2-only, and right now it is
set to ntlm auth = yes
Any suggestions to how I can solve it? I am quite surprized that the
error I get in the end is NT_STATUS_WRONG_PASSWORD.
Thank you in advance, and let me know if I should include any other
information!
Oleg
Hai, Have you seen : https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory Test with : ntlm_auth --allow-mschapv2 --request-nt-key --domain=COMPANY --username=domainuser --password=userpassword Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oleg > Blyahher via samba > Verzonden: woensdag 6 november 2019 16:27 > Aan: samba at lists.samba.org > Onderwerp: [Samba] NTLM refuses to work on a DC > > Hi there, > > I'm trying to get FreeRADIUS to authenticate against my Samba > DC. It's > Samba 4.7.6-ubuntu running on Ubuntu 18 (kernel version > 4.15.0-66-generic). It came nicely packaged with Zentyal, > which provides > a nice GUI for managing a domain, as well as a CA and lots of > cool small > features. That same Zentyal also includes support for > FreeRADIUS (3.0.16). > > This is my smb.conf: > > [global] > ??? workgroup = company > ??? realm = INTERNAL.COMPANY.COM > ??? netbios name = dc > > ??? server string = Zentyal Server > > ??? server role = dc > ??? server role check:inhibit = yes > ??? server services = -dns > ??? server signing = auto > ??? dsdb:schema update allowed = yes > ??? ldap server require strong auth = no > ??? drs:max object sync = 1200 > ??? ntlm auth = yes > > ??? idmap_ldb:use rfc2307 = yes > > ??? winbind enum users = yes > ??? winbind enum groups = yes > ??? template shell = /bin/bash > ??? template homedir = /home/%U > > ??? tls enabled? = yes > ??? tls keyfile? = /var/lib/zentyal/conf/ssl/ssl.pem > ??? tls certfile = /var/lib/zentyal/conf/ssl/ssl.pem > ??? tls cafile?? > > ??? interfaces = lo,ens3,ens9 > ??? bind interfaces only = yes > > ??? map to guest = Bad User > > ??? log level = 3 > ??? log file = /var/log/samba/samba.log > ??? max log size = 100000 > > ??? include = /etc/samba/shares.conf > > > [netlogon] > ??? path = /var/lib/samba/sysvol/internal.company.com/scripts > ??? browseable = no > ??? read only = yes > > [sysvol] > ??? path = /var/lib/samba/sysvol > ??? read only = no > > When I run the following, I get no problems whatsoever: > > radtest domainuser userpassword localhost 0 secret123 > > (To those who are not familiar, radtest is a tool for testing > authentication on FreeRADIUS) > > Also when I run the following: > > ntlm_auth --request-nt-key --domain=COMPANY --username=domainuser > --password=userpassword > > NT_STATUS_OK: The operation completed successfully. (0x0) > > > Same with wbinfo -a domainuser%userpassword. In both of these > commands > NTLMv2 is being used. > > > However, if I try to run the following, I get an error: > > radtest -t mschap domainuser userpassword localhost 0 secret123 > > This is what I see in my /var/log/samba/log.wb-COMPANY: > > [2019/11/06 15:27:32.944109,? 3] > ../source3/winbindd/winbindd_pam.c:2138(winbindd_dual_pam_auth_crap) > ? [ 3096]: pam auth crap domain: COMPANY user: domainuser > [2019/11/06 15:27:32.944307,? 3] > ../source3/auth/auth.c:189(auth_check_ntlm_password) > ? check_ntlm_password:? Checking password for unmapped user > [COMPANY]\[domainuser]@[DC1] with the new password interface > [2019/11/06 15:27:32.944345,? 3] > ../source3/auth/auth.c:192(auth_check_ntlm_password) > ? check_ntlm_password:? mapped user is: [COMPANY]\[domainuser]@[DC1] > [2019/11/06 15:27:32.950761,? 3] > ../source4/auth/ntlm/auth.c:240(auth_check_password_send) > ? auth_check_password_send: Checking password for unmapped user > [COMPANY]\[domainuser]@[DC1] > ? auth_check_password_send: user is: [COMPANY]\[domainuser]@[DC1] > [2019/11/06 15:27:32.952257,? 2] > ../libcli/auth/ntlm_check.c:430(ntlm_password_check) > ? ntlm_password_check: NTLMv1 passwords NOT PERMITTED for > user domainuser > [2019/11/06 15:27:32.952306,? 3] > ../libcli/auth/ntlm_check.c:437(ntlm_password_check) > ? ntlm_password_check: NEITHER LanMan nor NT password > supplied for user > domainuser > [2019/11/06 15:27:32.953703,? 2] > ../source4/auth/ntlm/auth.c:475(auth_check_password_recv) > ? auth_check_password_recv: sam authentication for user > [COMPANY\domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD, > authoritative=1 > [2019/11/06 15:27:32.953814,? 2] > ../auth/auth_log.c:760(log_authentication_event_human_readable) > ? Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov > 2019 15:27:32.953792 CET] with [NTLMv1] status > [NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host > [ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host > [ipv4:127.0.0.1:0] > [2019/11/06 15:27:32.954029,? 2] ../auth/auth_log.c:220(log_json) > ? JSON Authentication: {"timestamp": > "2019-11-06T15:27:32.953861+0100", > "type": "Authentication", "Authentication": {"version": {"major": 1, > "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": > "ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0", > "serviceDescription": "winbind", "authDescription": null, > "clientDomain": "COMPANY", "clientAccount": "domainuser", > "workstation": > "DC1", "becameAccount": null, "becameDomain": null, > "becameSid": "(NULL > SID)", "mappedAccount": "domainuser", "mappedDomain": "COMPANY", > "netlogonComputer": null, "netlogonTrustAccount": null, > "netlogonNegotiateFlags": "0x00000000", > "netlogonSecureChannelType": 0, > "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv1"}} > [2019/11/06 15:27:32.954130,? 3] > ../auth/auth_log.c:139(get_auth_event_server) > ? get_auth_event_server: Failed to find 'auth_event' > registered on the > message bus to send JSON authentication events to: > NT_STATUS_OBJECT_NAME_NOT_FOUND > [2019/11/06 15:27:32.954240,? 2] > ../source3/auth/auth.c:332(auth_check_ntlm_password) > ? check_ntlm_password:? Authentication for user [domainuser] -> > [domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD, > authoritative=1 > [2019/11/06 15:27:32.954311,? 2] > ../auth/auth_log.c:760(log_authentication_event_human_readable) > ? Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov > 2019 15:27:32.954299 CET] with [NTLMv1] status > [NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host > [ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host > [ipv4:127.0.0.1:0] > [2019/11/06 15:27:32.954380,? 2] ../auth/auth_log.c:220(log_json) > ? JSON Authentication: {"timestamp": > "2019-11-06T15:27:32.954338+0100", > "type": "Authentication", "Authentication": {"version": {"major": 1, > "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": > "ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0", > "serviceDescription": "winbind", "authDescription": null, > "clientDomain": "COMPANY", "clientAccount": "domainuser", > "workstation": > "DC1", "becameAccount": null, "becameDomain": null, > "becameSid": "(NULL > SID)", "mappedAccount": "domainuser", "mappedDomain": "COMPANY", > "netlogonComputer": null, "netlogonTrustAccount": null, > "netlogonNegotiateFlags": "0x00000000", > "netlogonSecureChannelType": 0, > "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv1"}} > [2019/11/06 15:27:32.954479,? 2] > ../source3/winbindd/winbindd_pam.c:2108(winbind_dual_SamLogon) > ? NTLM CRAP authentication for user [COMPANY]\[domainuser] returned > NT_STATUS_WRONG_PASSWORD > > The user freerad is added to the winbindd_priv group, and I've also > tried setting ntlm auth = mschapv2-and-ntlmv2-only, and right > now it is > set to ntlm auth = yes > > Any suggestions to how I can solve it? I am quite surprized that the > error I get in the end is NT_STATUS_WRONG_PASSWORD. > > Thank you in advance, and let me know if I should include any other > information! > > Oleg > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Thank you so much Louis!
Adding "--allow-mschav2" to /etc/freeradius/3.0/mods-enabled/mschap
solved it!
i.e.
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
Just like the Samba documentation states it...
All the best,
On 2019-11-06 16:44, L.P.H. van Belle wrote:> Hai,
>
> Have you seen :
>
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>
>
> Test with :
> ntlm_auth --allow-mschapv2 --request-nt-key --domain=COMPANY
--username=domainuser --password=userpassword
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oleg
>> Blyahher via samba
>> Verzonden: woensdag 6 november 2019 16:27
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] NTLM refuses to work on a DC
>>
>> Hi there,
>>
>> I'm trying to get FreeRADIUS to authenticate against my Samba
>> DC. It's
>> Samba 4.7.6-ubuntu running on Ubuntu 18 (kernel version
>> 4.15.0-66-generic). It came nicely packaged with Zentyal,
>> which provides
>> a nice GUI for managing a domain, as well as a CA and lots of
>> cool small
>> features. That same Zentyal also includes support for
>> FreeRADIUS (3.0.16).
>>
>> This is my smb.conf:
>>
>> [global]
>> ??? workgroup = company
>> ??? realm = INTERNAL.COMPANY.COM
>> ??? netbios name = dc
>>
>> ??? server string = Zentyal Server
>>
>> ??? server role = dc
>> ??? server role check:inhibit = yes
>> ??? server services = -dns
>> ??? server signing = auto
>> ??? dsdb:schema update allowed = yes
>> ??? ldap server require strong auth = no
>> ??? drs:max object sync = 1200
>> ??? ntlm auth = yes
>>
>> ??? idmap_ldb:use rfc2307 = yes
>>
>> ??? winbind enum users = yes
>> ??? winbind enum groups = yes
>> ??? template shell = /bin/bash
>> ??? template homedir = /home/%U
>>
>> ??? tls enabled? = yes
>> ??? tls keyfile? = /var/lib/zentyal/conf/ssl/ssl.pem
>> ??? tls certfile = /var/lib/zentyal/conf/ssl/ssl.pem
>> ??? tls cafile?? >>
>> ??? interfaces = lo,ens3,ens9
>> ??? bind interfaces only = yes
>>
>> ??? map to guest = Bad User
>>
>> ??? log level = 3
>> ??? log file = /var/log/samba/samba.log
>> ??? max log size = 100000
>>
>> ??? include = /etc/samba/shares.conf
>>
>>
>> [netlogon]
>> ??? path = /var/lib/samba/sysvol/internal.company.com/scripts
>> ??? browseable = no
>> ??? read only = yes
>>
>> [sysvol]
>> ??? path = /var/lib/samba/sysvol
>> ??? read only = no
>>
>> When I run the following, I get no problems whatsoever:
>>
>> radtest domainuser userpassword localhost 0 secret123
>>
>> (To those who are not familiar, radtest is a tool for testing
>> authentication on FreeRADIUS)
>>
>> Also when I run the following:
>>
>> ntlm_auth --request-nt-key --domain=COMPANY --username=domainuser
>> --password=userpassword
>>
>> NT_STATUS_OK: The operation completed successfully. (0x0)
>>
>>
>> Same with wbinfo -a domainuser%userpassword. In both of these
>> commands
>> NTLMv2 is being used.
>>
>>
>> However, if I try to run the following, I get an error:
>>
>> radtest -t mschap domainuser userpassword localhost 0 secret123
>>
>> This is what I see in my /var/log/samba/log.wb-COMPANY:
>>
>> [2019/11/06 15:27:32.944109,? 3]
>> ../source3/winbindd/winbindd_pam.c:2138(winbindd_dual_pam_auth_crap)
>> ? [ 3096]: pam auth crap domain: COMPANY user: domainuser
>> [2019/11/06 15:27:32.944307,? 3]
>> ../source3/auth/auth.c:189(auth_check_ntlm_password)
>> ? check_ntlm_password:? Checking password for unmapped user
>> [COMPANY]\[domainuser]@[DC1] with the new password interface
>> [2019/11/06 15:27:32.944345,? 3]
>> ../source3/auth/auth.c:192(auth_check_ntlm_password)
>> ? check_ntlm_password:? mapped user is: [COMPANY]\[domainuser]@[DC1]
>> [2019/11/06 15:27:32.950761,? 3]
>> ../source4/auth/ntlm/auth.c:240(auth_check_password_send)
>> ? auth_check_password_send: Checking password for unmapped user
>> [COMPANY]\[domainuser]@[DC1]
>> ? auth_check_password_send: user is: [COMPANY]\[domainuser]@[DC1]
>> [2019/11/06 15:27:32.952257,? 2]
>> ../libcli/auth/ntlm_check.c:430(ntlm_password_check)
>> ? ntlm_password_check: NTLMv1 passwords NOT PERMITTED for
>> user domainuser
>> [2019/11/06 15:27:32.952306,? 3]
>> ../libcli/auth/ntlm_check.c:437(ntlm_password_check)
>> ? ntlm_password_check: NEITHER LanMan nor NT password
>> supplied for user
>> domainuser
>> [2019/11/06 15:27:32.953703,? 2]
>> ../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
>> ? auth_check_password_recv: sam authentication for user
>> [COMPANY\domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD,
>> authoritative=1
>> [2019/11/06 15:27:32.953814,? 2]
>> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>> ? Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov
>> 2019 15:27:32.953792 CET] with [NTLMv1] status
>> [NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host
>> [ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host
>> [ipv4:127.0.0.1:0]
>> [2019/11/06 15:27:32.954029,? 2] ../auth/auth_log.c:220(log_json)
>> ? JSON Authentication: {"timestamp":
>> "2019-11-06T15:27:32.953861+0100",
>> "type": "Authentication",
"Authentication": {"version": {"major": 1,
>> "minor": 0}, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress":
>> "ipv4:127.0.0.1:0", "remoteAddress":
"ipv4:127.0.0.1:0",
>> "serviceDescription": "winbind",
"authDescription": null,
>> "clientDomain": "COMPANY",
"clientAccount": "domainuser",
>> "workstation":
>> "DC1", "becameAccount": null,
"becameDomain": null,
>> "becameSid": "(NULL
>> SID)", "mappedAccount": "domainuser",
"mappedDomain": "COMPANY",
>> "netlogonComputer": null, "netlogonTrustAccount":
null,
>> "netlogonNegotiateFlags": "0x00000000",
>> "netlogonSecureChannelType": 0,
>> "netlogonTrustAccountSid": "(NULL SID)",
"passwordType": "NTLMv1"}}
>> [2019/11/06 15:27:32.954130,? 3]
>> ../auth/auth_log.c:139(get_auth_event_server)
>> ? get_auth_event_server: Failed to find 'auth_event'
>> registered on the
>> message bus to send JSON authentication events to:
>> NT_STATUS_OBJECT_NAME_NOT_FOUND
>> [2019/11/06 15:27:32.954240,? 2]
>> ../source3/auth/auth.c:332(auth_check_ntlm_password)
>> ? check_ntlm_password:? Authentication for user [domainuser] ->
>> [domainuser] FAILED with error NT_STATUS_WRONG_PASSWORD,
>> authoritative=1
>> [2019/11/06 15:27:32.954311,? 2]
>> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>> ? Auth: [winbind,(null)] user [COMPANY]\[domainuser] at [Wed, 06 Nov
>> 2019 15:27:32.954299 CET] with [NTLMv1] status
>> [NT_STATUS_WRONG_PASSWORD] workstation [DC1] remote host
>> [ipv4:127.0.0.1:0] mapped to [COMPANY]\[domainuser]. local host
>> [ipv4:127.0.0.1:0]
>> [2019/11/06 15:27:32.954380,? 2] ../auth/auth_log.c:220(log_json)
>> ? JSON Authentication: {"timestamp":
>> "2019-11-06T15:27:32.954338+0100",
>> "type": "Authentication",
"Authentication": {"version": {"major": 1,
>> "minor": 0}, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress":
>> "ipv4:127.0.0.1:0", "remoteAddress":
"ipv4:127.0.0.1:0",
>> "serviceDescription": "winbind",
"authDescription": null,
>> "clientDomain": "COMPANY",
"clientAccount": "domainuser",
>> "workstation":
>> "DC1", "becameAccount": null,
"becameDomain": null,
>> "becameSid": "(NULL
>> SID)", "mappedAccount": "domainuser",
"mappedDomain": "COMPANY",
>> "netlogonComputer": null, "netlogonTrustAccount":
null,
>> "netlogonNegotiateFlags": "0x00000000",
>> "netlogonSecureChannelType": 0,
>> "netlogonTrustAccountSid": "(NULL SID)",
"passwordType": "NTLMv1"}}
>> [2019/11/06 15:27:32.954479,? 2]
>> ../source3/winbindd/winbindd_pam.c:2108(winbind_dual_SamLogon)
>> ? NTLM CRAP authentication for user [COMPANY]\[domainuser] returned
>> NT_STATUS_WRONG_PASSWORD
>>
>> The user freerad is added to the winbindd_priv group, and I've also
>> tried setting ntlm auth = mschapv2-and-ntlmv2-only, and right
>> now it is
>> set to ntlm auth = yes
>>
>> Any suggestions to how I can solve it? I am quite surprized that the
>> error I get in the end is NT_STATUS_WRONG_PASSWORD.
>>
>> Thank you in advance, and let me know if I should include any other
>> information!
>>
>> Oleg
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>