On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote:
Unfortunately it's still erroring out:
(7) mschap: Creating challenge hash with username:
host/SL-6S4BBS3.MYDOMAIN.co.uk
(7) mschap: Client is using MS-CHAPv2
> Is this set as a UPN (with the realm appended) on the user?
I don't see any UPN's in my AD record, only SPNs - unless I
misunderstand you?
I've run the 'radtest' client with '-t mschap' and without
as parameters. Without '-t mschap' works, but with it fails.
I've narrowed down the authenticating DC, turned up logging and found this:
[2023/04/04 08:36:31.653500, 3]
../../source4/auth/ntlm/auth.c:207(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[lambrook]\[tim.odriscoll]@[\\FILESB01]
auth_check_password_send: user is: [lambrook]\[tim.odriscoll]@[\\FILESB01]
[2023/04/04 08:36:31.653534, 5]
../../source4/auth/ntlm/auth.c:70(auth_get_challenge)
auth_get_challenge: returning previous challenge by module
netr_LogonSamLogonWithFlags (normal)
[2023/04/04 08:36:31.662327, 2]
../../libcli/auth/ntlm_check.c:473(ntlm_password_check)
ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user tim.odriscoll
[2023/04/04 08:36:31.662372, 3]
../../libcli/auth/ntlm_check.c:480(ntlm_password_check)
ntlm_password_check: NEITHER LanMan nor NT password supplied for user
tim.odriscoll
[2023/04/04 08:36:31.665652, 5]
../../source4/dsdb/common/util.c:5638(dsdb_update_bad_pwd_count)
I've got this on all my DC's /etc/samba/smb.conf files:
ntlm auth = mschapv2-and-ntlmv2-only
So, am I correct in thinking that the ntlm_auth client is not using ntlmv2?
FreeRADIUS reports this on the error:
(21) Found Auth-Type = mschap
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) authenticate {
(21) mschap: Client is using MS-CHAPv1 with NT-Password
(21) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=lambrook
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(21) mschap: EXPAND --username=%{%{mschap:User-Name}:-00}
(21) mschap: --> --username=tim.odriscoll
(21) mschap: mschap1: 39
(21) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(21) mschap: --> --challenge=3985fc5b9031d694
(21) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(21) mschap: -->
--nt-response=32f3fe95ffa414578c60e77fca9f28af183055a5f46f262d
(21) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(21) mschap: External script failed
(21) mschap: ERROR: External script says: The attempted logon is invalid. This
is either due to a bad username or authentication information. (0xc000006d)
(21) mschap: ERROR: MS-CHAP2-Response is incorrect
My radtest experiment:
# radtest tim.odriscoll MYPASS localhost 10 testing123
Sent Access-Request Id 138 from 0.0.0.0:41829 to 127.0.0.1:1812 length 99
??????User-Name = "tim.odriscoll"
??????User-Password = "MYPASS"
??????NAS-IP-Address = 192.168.15.22
??????NAS-Port = 10
??????Message-Authenticator = 0x00
??????Cleartext-Password = "MYPASS"
Received Access-Accept Id 138 from 127.0.0.1:1812 to 127.0.0.1:41829 length 36
??????Tunnel-Type:0 = VLAN
??????Tunnel-Medium-Type:0 = IEEE-802
??????Tunnel-Private-Group-Id:0 = "30"
# radtest -t mschap tim.odriscoll MYPASS localhost 10 testing123
Sent Access-Request Id 108 from 0.0.0.0:33568 to 127.0.0.1:1812 length 139
??????User-Name = "tim.odriscoll"
??????MS-CHAP-Password = "MYPASS"
??????NAS-IP-Address = 192.168.15.22
??????NAS-Port = 10
??????Message-Authenticator = 0x00
??????Cleartext-Password = "MYPASS"
??????MS-CHAP-Challenge = 0x84b5ae5ac964eb2c
??????MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000da7a0095a13df2402e71c6c167eef1f1ae48514b721fa091
Received Access-Reject Id 108 from 127.0.0.1:1812 to 127.0.0.1:33568 length 61
??????MS-CHAP-Error = "\000E=691 R=1 C=3e440e2c7065d8fb V=2"
(0) -: Expected Access-Accept got Access-Reject
Thank you for your assistance - I'm totally out of my depth here!
Tim