Re: [Samba] ntlm_auth to AD with only ntlmv2 enabled failing
On Thu, 2007-04-26 at 15:51 -0500, Mary Stevens wrote: > Hello, > > We have samba 3.0.23 installed. We are using free radius to take > authentication requests from a nortel vpn server and using ntlm_auth > trying to authenticate users against AD. > > This setup works fine when on the AD side ntlmv1 and ntlmv2 are enabled. > (IE. Users can authenticate). > > However, when only ntlmv2 is enabled users are unable to authenticate. > I have searched various places and while I have seen a couple of other > questions about getting this to work, I haven't found any answers. The problem is, MSCHAPv2 *is* ntlm1, so everything is working exactly as expected. Microsoft clearly has a workaround, allowing the member server to say 'pretend this is NTLMv2, even if it is not', to allow RADIUS to work. I need to see clear (ie, disable schannel protection) traces of this traffic (and comparisons with NTLMv1 requests) to determine the flag in use, so that we can reproduce the behaviour. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ntlm_auth to AD with only ntlmv2 enabled failing
Hello,
We have samba 3.0.23 installed. We are using free radius to take
authentication requests from a nortel vpn server and using ntlm_auth
trying to authenticate users against AD.
This setup works fine when on the AD side ntlmv1 and ntlmv2 are enabled.
(IE. Users can authenticate).
However, when only ntlmv2 is enabled users are unable to authenticate.
I have searched various places and while I have seen a couple of other
questions about getting this to work, I haven't found any answers.
When I have the radius server in debug mode I see the following when just
ntlmv2 is enabled on the AD side:
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for stevens3 with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: f0
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth -debug=10 --logfile=/tmp
--request-nt-key --domain=adtest --username=stevens3
--challenge=3316410b7682eede
--nt-response=b929ed540a9705a79165ae8bc8b11f3c039f3a8100d81c3e'
Exec-Program: /usr/bin/ntlm_auth -debug=10 --logfile=/tmp --request-nt-key
--domain=adtest --username=stevens3 --challenge=3316410b7682eede
--nt-response=b929ed540a9705a79165ae8bc8b11f3c039f3a8100d81c3e
[2007/04/26 13:23:50, 5] lib/debug.c:debug_dump_status(391)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 0
modcall: leaving group MS-CHAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect: [stevens3] (from client nortelnew port 47)
Delaying request 0 for 1 seconds
In the smb.conf file I have
client NTLMv2 auth = yes
In radiusd.conf file the ntlm_auth line looks like(all as one line in the
file, but the mail reader is breaking it up):
ntlm_auth = "/usr/bin/ntlm_auth -debug=10 --logfile=/tmp
--request-nt-key --domain=adtest
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
I have also tried in the radiusd.conf file
with_ntdomain_hack = no
and
with_ntdomain_hack = yes
It didn't make any difference
With the radius server in debug mode, I see the following when both ntlmv1
and ntlmv2 are enabled on the AD side(ie. a successful auth):
modcall[authorize]: module "auth_log" returns ok for request 1
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
modcall[authorize]: module "mschap" returns ok for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry DEFAULT at line 29
modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
Found Autz-Type UIUCnet-Autz
Processing the authorize section of radiusd.conf
modcall: entering group UIUCnet-Autz for request 1
modcall[authorize]: module "mysql_block" returns notfound for request 1
modcall[authorize]: module "ccso_ph" returns ok for request 1
modcall: leaving group UIUCnet-Autz (returns ok) for request 1
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 1
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for stevens3 with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'Chall
enge'
mschap2: 9d
radius_xlat: Running registered xlat function of module mschap for string
'NT-Re
sponse'
radius_xlat: '/usr/bin/ntlm_auth -debug=10 --logfile=/tmp
--request-nt-key --do
main=adtest --username=stevens3 --challenge=08cb598bb48bab8c
--nt-response=202fa
7d944da7715ef8bf23a0b1b3d08d91345e2e26344da'
Exec-Program: /usr/bin/ntlm_auth -debug=10 --logfile=/tmp --request-nt-key
--dom
ain=adtest --username=stevens3 --challenge=08cb598bb48bab8c
--nt-response=202fa7
d944da7715ef8bf23a0b1b3d08d91345e2e26344da
