Displaying 20 results from an estimated 4000 matches similar to: "'winbind use default domain' doesn't appear to work with ntlm_auth"
2017 Jun 12
2
'winbind use default domain' doesn't appear to work with ntlm_auth
Hi everyone,
We just upgraded Samba from 4.4.5 to 4.6.5 and appear to be experiencing a problem with authentication, when the RPC domain is not supplied as part of the username.
I have two scenarios where this has cropped up:
RADIUS authentication using ntlm_auth
Apache HTTP using mod_auth_ntlm_winbind
RADIUS authentication:
We use the freeRADIUS 'mschap' module to provide
2018 Dec 21
2
upg. CentOS 7.5 to 7.6: unable to mount smb shares - samba NT domain member using ldap
Originally I posted this question at CentOS forum 20.12.2018.
https://www.centos.org/forums/viewtopic.php?f=48&t=69193
Hi all,
I am not able to mount samba shares after upgrading CentOS 7.5 to 7.6. I
have been searching and trying to configure samba and winbind but no
success. I find a lot of manuals and help pages about setting samba and
winbind for machine acting as AD DC member but
2007 Dec 11
1
ntlm_auth only supports ntlmv1 and not ntlmv2 ?
Hello,
i set up a squid proxy that should authenticate users against a samba PDC using winbind.
It works fine as long i allow ntlmv1:
on the PDC:
ntlm auth = yes
lanman auth = no
client ntlmv2 auth = yes
If i restrict the domains authentication method to ntlmv2 - that's what i want - with these settings:
ntlm auth = no
lanman auth = no
client
2023 Apr 04
2
Fwd: ntlm_auth and freeradius
> You said earlier that you have set ntlm auth = mschapv2-and-ntlmv2-only
Yes, I found that here:
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
> This means to reject NTLMv1, which MSCHAPv2 is cryptographically, unless the client makes special pleading that it used MSCHAPv2 with it's client.
> This is related to the missing ntlm_auth option
2023 Apr 04
1
Fwd: ntlm_auth and freeradius
On Tue, 2023-04-04 at 07:55 +0000, Tim ODriscoll wrote:
> On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote:
>
>
>
>
> > Unfortunately it's still erroring out:
> > (7) mschap: Creating challenge hash with username: host/SL-
> > 6S4BBS3.MYDOMAIN.co.uk
> > (7) mschap: Client is using MS-CHAPv2
>
>
>
> > Is this set as a
2017 May 29
0
ntlm_auth with freeradius
Hey,
In samba 4.5.0 update notes it states:
/NTLMv1 authentication disabled by default
----------------------------------------- In order to improve security
we have changed the default value for the "ntlm auth" option from "yes"
to "no". This may have impact on very old clients which doesn't support
NTLMv2 yet. The primary user of NTLMv1 is MSCHAPv2 for
2007 Apr 26
1
ntlm_auth to AD with only ntlmv2 enabled failing
Hello,
We have samba 3.0.23 installed. We are using free radius to take
authentication requests from a nortel vpn server and using ntlm_auth
trying to authenticate users against AD.
This setup works fine when on the AD side ntlmv1 and ntlmv2 are enabled.
(IE. Users can authenticate).
However, when only ntlmv2 is enabled users are unable to authenticate.
I have searched various places and while
2016 Apr 15
1
samba 4.4.2 freeradius authentication with ntlm_auth
> On Apr 15, 2016, at 15:06 , Andrew Bartlett <abartlet at samba.org> wrote:
>
>
> Yes, this really, really sucks. MSCHAPv2 is NTLM, not NTLMv2 based.
> This is despite NTLMv2 being around when they 'designed' this
> mechanism. Sadly no attempt has been made to somehow get an MSCHAPv3
> in that uses NTLMv2.
>
> On Windows, setting a special flag
2023 Apr 04
1
Fwd: ntlm_auth and freeradius
On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote:
Unfortunately it's still erroring out:
(7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk
(7) mschap: Client is using MS-CHAPv2
> Is this set as a UPN (with the realm appended) on the user?
I don't see any UPN's in my AD record, only SPNs - unless I misunderstand you?
I've run
2017 Oct 17
3
ntlm_auth and SMBv2/v3
Hello Andrew,
Do you plan to release the patch for "ntlm auth =
mschapv2-only" option soon ?
We need this on order to use freeradius in
a "more safe" scenario than with "ntlm auth = yes"
Best
Regard,
Lulzim KELMENI
Direction des Systèmes d'Information
Mairie de
Saint-Ouen
Le 08/06/2017 21:36, Andrew Bartlett via samba a écrit :
>
On Thu, 2017-06-08 at
2017 Jun 08
0
ntlm_auth and SMBv2/v3
On Thu, 2017-06-08 at 15:30 +0200, L.P.H. van Belle via samba wrote:
> hai,
>
> Please keep it mailing to the list, this way is shows up of others also.
> A workaround for disabling SMBv1, you can make your server less secure but thats not what i would do.
>
> Setting these to enable NTLM v1 again.
>
> lanman auth = yes
NEVER set this.
> ntlm auth = yes
This
2024 Jan 27
1
ntlm_auth not returning "STATUS_OK"
On 27-01-2024 11:56, Rowland Penny via samba wrote:
> On Fri, 26 Jan 2024 22:22:49 -0500
> Mark Foley via samba<samba at lists.samba.org> wrote:
>
>> On Wed Jan 24 05:03:25 2024 Rowland Penny via samba
>> <samba at lists.samba.org> wrote:
>>> On Tue, 23 Jan 2024 17:07:35 -0500
>>> Mark Foley via samba<samba at lists.samba.org> wrote:
2024 Jan 27
2
ntlm_auth not returning "STATUS_OK"
On Fri, 26 Jan 2024 22:22:49 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Wed Jan 24 05:03:25 2024 Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> >
> > On Tue, 23 Jan 2024 17:07:35 -0500
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > On Mon Jan 22 11:00:59 2024 Mark Foley via samba
2018 Dec 21
0
upg. CentOS 7.5 to 7.6: unable to mount smb shares - samba NT domain member using ldap
I am sorry logs are bad formatted I am trying again and hope it will be
better. Otherwise lokk at link bellow or tell me how to send logs correctly.
Mirek
21.12.2018 v 13:19 Miroslav Geisselreiter:
> Originally I posted this question at CentOS forum 20.12.2018.
> https://www.centos.org/forums/viewtopic.php?f=48&t=69193
>
> Hi all,
>
> I am not able to mount samba shares
2018 Mar 26
1
freeradius + NTLM + samba AD 4.5.x
It is an issue that I myself would also like to solve.
I found multiple threads in samba and freeradius mailing lists. It seems
that every couple of months there is question like this either here on
FR mailing list and all point down to the same issue, that is:
freeradius uses ntlm_auth (even when using winbind with newer freeradius
versions, it also in the end uses ntlm_auth). And since
2018 Mar 26
3
freeradius + NTLM + samba AD 4.5.x
Also I just facepalmed, as I double checked smb.conf right after sending
mail, and in samba 4.7 there are new options available for "ntlm auth",
as stated in docs:
|mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises
that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool).
So that is is I suppose that special "flag" that is used by
2020 Sep 24
2
Negotiates g729 but RTP contains g711
Hi,
I was able to use Unsniff to validate that the incoming 20 byte payloads of audio from the downstream IAX2 trunk was definitely G.729a whilst Asterisk 16.13.0 transcodes to G.711a unnecessarily. Media is confirmed as having been negotiated as g729 on all four streams. Nuance with this call is that it's from a WebRTC client which doesn't transmit any audio, could this be influencing
2018 Mar 26
2
freeradius + NTLM + samba AD 4.5.x
Hello,
I've done some further testing, and I have to correct myself.
I was (kind of obviously as I think about it) wrong about samba on the
freeradius server requiring v. 4.7. What makes all the difference is the
method used by mschap.
Traditionally in freeradius in mods-available/mschap you'll use
something like:
ntlm_auth = "/path/to/ntlm_auth --request-nt-key
2017 May 29
2
ntlm_auth with freeradius
On 29 May 2017 12:32
>When running 'winbindd -SFd5', I see a little more of the problem after I run my two ntlm_auth commands > one after the other. I believe the 'crap' part is an acronym for 'Challenge Response
> Authentication Protocol', so why would it be failing?
Edit2:
wbinfo -a tim.odriscoll%<mypass> works perfectly, with the winbindd debug logs
2018 Mar 28
0
ODP: Re: freeradius + NTLM + samba AD 4.5.x
Hi,
thank you very much for testing everything out. Great work!
One question: passchange - which application are working with passchange
on radius ?
In the moment every user with an expired password is NOT able to use
services using radius
for authentication (WLAN,VPN). Is there any documentation available ?
Bye, Peer
On 27.03.2018 22:40, Kacper Wirski via samba wrote:
> Hello,
>
>