similar to: ODP: Re: freeradius + NTLM + samba AD 4.5.x

Hello, I can definately confirm that it's working. My basic setup is: 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x smb.conf on the DC is pretty basic, most important is obviously in [globall]:         ntlm auth =

Ok, I finally could try it out, and it seems to actually work, but You need samba 4.7 on all machines, not only AD, but also server with freeradius. I didn't get a chance to test it locally, that is samba AD + freeradius on the same server. Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work (got simple "nt_status_wrong_password") but: 4.7.6 AD and 4.7.1

Hello, I've done some further testing, and I have to correct myself. I was (kind of obviously as I think about it) wrong about samba on the freeradius server requiring v. 4.7. What makes all the difference is the method used by mschap. Traditionally in freeradius in mods-available/mschap you'll use something like: ntlm_auth = "/path/to/ntlm_auth --request-nt-key

Hi, thank you very much for testing everything out. Great work! One question: passchange - which application are working with passchange on radius ? In the moment every user with an expired password is NOT able to use services using radius for authentication (WLAN,VPN). Is there any documentation available ? Bye, Peer On 27.03.2018 22:40, Kacper Wirski via samba wrote: > Hello, > >

Also I just facepalmed, as I double checked smb.conf right after sending mail, and in samba 4.7 there are new options available for "ntlm auth", as stated in docs: |mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool). So that is is I suppose that special "flag" that is used by

> You said earlier that you have set ntlm auth = mschapv2-and-ntlmv2-only Yes, I found that here: https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory > This means to reject NTLMv1, which MSCHAPv2 is cryptographically, unless the client makes special pleading that it used MSCHAPv2 with it's client. > This is related to the missing ntlm_auth option

Currently (samba 4 NT-like domains) i use extensively NTLM auth in freeradius and more mildly in squid, respectively with: Freeradius (mschap module): ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=SANVITO --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" squid3: auth_param ntlm program /usr/bin/ntlm_auth

On Tue, 2023-04-04 at 07:55 +0000, Tim ODriscoll wrote: > On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: > > > > > > Unfortunately it's still erroring out: > > (7) mschap: Creating challenge hash with username: host/SL- > > 6S4BBS3.MYDOMAIN.co.uk > > (7) mschap: Client is using MS-CHAPv2 > > > > > Is this set as a

It is an issue that I myself would also like to solve. I found multiple threads in samba and freeradius mailing lists. It seems that every couple of months there is question like this either here on FR mailing list and all point down to the same issue, that is: freeradius uses ntlm_auth (even when using winbind with newer freeradius versions, it also in the end uses ntlm_auth). And since

On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: Unfortunately it's still erroring out: (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk (7) mschap: Client is using MS-CHAPv2 > Is this set as a UPN (with the realm appended) on the user? I don't see any UPN's in my AD record, only SPNs - unless I misunderstand you? I've run

Op 03-04-2023 om 16:05 schreef Tim ODriscoll via samba: > Dear All, > > I'm trying to setup FreeRADIUS to authenticate a machine account to grant access to wifi for domain-connected machines. I think I've got the GPO's set up properly and the CA deployed to the clients, as I'm not getting any errors there. > > The errors I'm getting are to do with ntlm_auth not

Hai, It does not happen often but yes, i also need some help as i cant know everything also and im new with freeradius. Im working on a configuration for samba member + freeradius with ntlm_auth. Why ntlm_auth, because the next one is kerberos and ldap auth to configure.. I want to have some fallback options here and you have to start somewhere. This is running on my new proxy/gateway

Dear All, I'm trying to setup FreeRADIUS to authenticate a machine account to grant access to wifi for domain-connected machines. I think I've got the GPO's set up properly and the CA deployed to the clients, as I'm not getting any errors there. The errors I'm getting are to do with ntlm_auth not authenticating my machine account. Everything looks OK (to me) on the command

Hi there, I'm trying to get FreeRADIUS to authenticate against my Samba DC. It's Samba 4.7.6-ubuntu running on Ubuntu 18 (kernel version 4.15.0-66-generic). It came nicely packaged with Zentyal, which provides a nice GUI for managing a domain, as well as a CA and lots of cool small features. That same Zentyal also includes support for FreeRADIUS (3.0.16). This is my smb.conf:

Hi, we have updated our samba AD domain from 4.4.x to 4.5.x. The release notes for 4.5.0 included  "NTLMv1 authentication disabled by default". So we had to enable it to get our radius (freeradius) server working (for 802.1x). What would be the best way to change the freeradius configuration in such a way, that we can disable NTLMv1 again. The radius server is used for WLAN

On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: > Unfortunately it's still erroring out: > (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk > (7) mschap: Client is using MS-CHAPv2 Is this set as a UPN (with the realm appended) on the user? -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001)

> I guess we have to look at the conf files then, first these two: Thank you for the config file snippets. I can confirm mine were almost identical, so I've tweaked them so that they are now exactly the same as yours except for the "--require-membership-of=example\authorization_groupname" line in ntlm_auth. Unfortunately it's still erroring out: (7) mschap: Creating

Hello, i've configured a new freeradius server for WLAN authentication. My radius server is a domain member on my samba 4.7.12 ADDC. For my mschap configuration i followd this guide: https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory. The auth works! I can configure ntlm_auth in two differents way? ntlm_auth = "/path/to/ntlm_auth*--allow-mschapv2*

Op 03-04-2023 om 16:05 schreef Tim ODriscoll via samba: > Dear All, > > I'm trying to setup FreeRADIUS to authenticate a machine account to grant access to wifi for domain-connected machines. I think I've got the GPO's set up properly and the CA deployed to the clients, as I'm not getting any errors there. > > The errors I'm getting are to do with ntlm_auth not

Dear List, My domain +/- works, so I try to fix rest services based on domain NT/AD.... I use WiFi authorization with PEAP/MSCHAPv2 + freeradius (before migration it works). And after migration autorization does not work. Freeradius server is on samba domain member. So i check domain connectivity: [root at see-you-later samba]# net ads testjoin Join is OK [root at see-you-later samba]#