samba - Apr 2023 - Fwd: ntlm_auth and freeradius

On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba
wrote:
> Unfortunately it's still erroring out:
> (7) mschap: Creating challenge hash with username:
host/SL-6S4BBS3.MYDOMAIN.co.uk
> (7) mschap: Client is using MS-CHAPv2
Is this set as a UPN (with the realm appended) on the user?

-- 
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba

Op 04-04-2023 om 00:32 schreef Andrew Bartlett:
> On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote:
>> Unfortunately it's still erroring out:
>> (7) mschap: Creating challenge hash with username:
host/SL-6S4BBS3.MYDOMAIN.co.uk
>> (7) mschap: Client is using MS-CHAPv2
>
> Is this set as a UPN (with the realm appended) on the user?
>
In my environment (where samba + freeradius + wifi connect with machine 
account works), there is no UPN set on the machine account, just a set 
of SPNs:

servicePrincipalName: HOST/myhost.example.com
servicePrincipalName: RestrictedKrbHost/myhost.example.com
servicePrincipalName: HOST/MYHOST
servicePrincipalName: RestrictedKrbHost/BARTOK
servicePrincipalName: WSMAN/myhost.example.com
servicePrincipalName: WSMAN/myhost
servicePrincipalName: TERMSRV/myhost.example.com
servicePrincipalName: TERMSRV/MYHOST

One of which does match with the username in Tim's output, btw. I have 
seen exactly the same username format while I was setting this up around 
a month ago.

- Kees.
> -- 
> Andrew Bartlett (he/him)https://samba.org/~abartlet/
> Samba Team Member (since 2001)https://samba.org
> Samba Developer, Catalyst IThttps://catalyst.net.nz/services/samba
>

On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote:

Unfortunately it's still erroring out:

(7) mschap: Creating challenge hash with username:
host/SL-6S4BBS3.MYDOMAIN.co.uk

(7) mschap: Client is using MS-CHAPv2
> Is this set as a UPN (with the realm appended) on the user?
I don't see any UPN's in my AD record, only SPNs - unless I
misunderstand you?

I've run the 'radtest' client with '-t mschap' and without
as parameters. Without '-t mschap' works, but with it fails.

I've narrowed down the authenticating DC, turned up logging and found this:
[2023/04/04 08:36:31.653500,  3]
../../source4/auth/ntlm/auth.c:207(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user
[lambrook]\[tim.odriscoll]@[\\FILESB01]
  auth_check_password_send: user is: [lambrook]\[tim.odriscoll]@[\\FILESB01]
[2023/04/04 08:36:31.653534,  5]
../../source4/auth/ntlm/auth.c:70(auth_get_challenge)
  auth_get_challenge: returning previous challenge by module
netr_LogonSamLogonWithFlags (normal)
[2023/04/04 08:36:31.662327,  2]
../../libcli/auth/ntlm_check.c:473(ntlm_password_check)
  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user tim.odriscoll
[2023/04/04 08:36:31.662372,  3]
../../libcli/auth/ntlm_check.c:480(ntlm_password_check)
  ntlm_password_check: NEITHER LanMan nor NT password supplied for user
tim.odriscoll
[2023/04/04 08:36:31.665652,  5]
../../source4/dsdb/common/util.c:5638(dsdb_update_bad_pwd_count)

I've got this on all my DC's /etc/samba/smb.conf files:
ntlm auth = mschapv2-and-ntlmv2-only

So, am I correct in thinking that the ntlm_auth client is not using ntlmv2?

FreeRADIUS reports this on the error:
(21) Found Auth-Type = mschap
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21)   authenticate {
(21) mschap: Client is using MS-CHAPv1 with NT-Password
(21) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=lambrook
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(21) mschap: EXPAND --username=%{%{mschap:User-Name}:-00}
(21) mschap:    --> --username=tim.odriscoll
(21) mschap: mschap1: 39
(21) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(21) mschap:    --> --challenge=3985fc5b9031d694
(21) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(21) mschap:    -->
--nt-response=32f3fe95ffa414578c60e77fca9f28af183055a5f46f262d
(21) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(21) mschap: External script failed
(21) mschap: ERROR: External script says: The attempted logon is invalid. This
is either due to a bad username or authentication information. (0xc000006d)
(21) mschap: ERROR: MS-CHAP2-Response is incorrect

My radtest experiment:
# radtest tim.odriscoll MYPASS localhost 10 testing123
Sent Access-Request Id 138 from 0.0.0.0:41829 to 127.0.0.1:1812 length 99
??????User-Name = "tim.odriscoll"
??????User-Password = "MYPASS"
??????NAS-IP-Address = 192.168.15.22
??????NAS-Port = 10
??????Message-Authenticator = 0x00
??????Cleartext-Password = "MYPASS"
Received Access-Accept Id 138 from 127.0.0.1:1812 to 127.0.0.1:41829 length 36
??????Tunnel-Type:0 = VLAN
??????Tunnel-Medium-Type:0 = IEEE-802
??????Tunnel-Private-Group-Id:0 = "30"

# radtest -t mschap tim.odriscoll MYPASS localhost 10 testing123
Sent Access-Request Id 108 from 0.0.0.0:33568 to 127.0.0.1:1812 length 139
??????User-Name = "tim.odriscoll"
??????MS-CHAP-Password = "MYPASS"
??????NAS-IP-Address = 192.168.15.22
??????NAS-Port = 10
??????Message-Authenticator = 0x00
??????Cleartext-Password = "MYPASS"
??????MS-CHAP-Challenge = 0x84b5ae5ac964eb2c
??????MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000da7a0095a13df2402e71c6c167eef1f1ae48514b721fa091
Received Access-Reject Id 108 from 127.0.0.1:1812 to 127.0.0.1:33568 length 61
??????MS-CHAP-Error = "\000E=691 R=1 C=3e440e2c7065d8fb V=2"
(0) -: Expected Access-Accept got Access-Reject

Thank you for your assistance - I'm totally out of my depth here!

Tim