[Samba] Using ntlm_auth to authneticate to an NTLMv2 AD
This is a discussion on [Samba] Using ntlm_auth to authneticate to an NTLMv2 AD within the Samba forums, part of the Networking and Network Related category; Chaps, I'm trying to get a radius server to authenticate to AD via the samba ntlm_auth program. I've ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-09-2006
|
|||
|
|||
[Samba] Using ntlm_auth to authneticate to an NTLMv2 AD
Chaps,
I'm trying to get a radius server to authenticate to AD via the samba ntlm_auth program. I've just built samba vsn 3.0.21c with the following config parameters ../configure --with-pam --enable-socket-wrapper --with-ldapsam --with-syslog --with-ldap --with-winbind My smb.conf has=20 global] workgroup =3D ADIR security =3D domain password server =3D 150.237.54.198 realm =3D ADIR.HULL.AC.UK preferred master =3D no server string =3D Hull Comms support server security =3D ADS use spnego =3D yes encrypt passwords =3D yes log level =3D 3 log file =3D /var/log/samba/%m max log size =3D 50 winbind separator =3D + bind interfaces only =3Dyes interfaces =3D150.237.47.22 127.0.0.1 idmap gid =3D 10000-20000 idmap uid =3D 10000-20000 client NTLMv2 auth=3Dyes running=20 /usr/local/bin/samba/ntlm_auth --userid=3Dfred --pasword=3Dsomething --domain=3DADIR.HULL.AC.UK works just fine (See log from radius server) BUT when the radius server invokes nltm_auth I always get a wrong psassword error. Thu Mar 9 16:04:27 2006: INFO: Starting NtlmAuthProg: /usr/local/samba/bin/ntlm_auth --helper-protocol=3Dntlm-server-1 Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute Request-User-Session-Key: Yes Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute LANMAN-Challenge: d5fa33d1b1953e0a Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute NT-Response: 9f135b59e47cdfa0c51535d78b57587e3ebfcc6e6a64ae90 Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute NT-Domain:: QURJUi5IVUxMLkFDLlVL Thu Mar 9 16:04:27 2006: DEBUG: Passing attribute Username:: Y2NzYXM=3D Thu Mar 9 16:04:27 2006: DEBUG: Received attribute: Authenticated: No Thu Mar 9 16:04:27 2006: DEBUG: Received attribute: Authentication-Error: Wrong Password Thu Mar 9 16:04:27 2006: DEBUG: Received attribute: . Thu Mar 9 16:04:27 2006: WARNING: NTLM Could not authenticate user: Wrong Password Thu Mar 9 16:04:27 2006: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM Password check failed: ccsas [ccsas] Thu Mar 9 16:04:27 2006: DEBUG: AuthBy NTLM result: REJECT, AuthBy NTLM Password check failed Thu Mar 9 16:04:27 2006: DEBUG: calling_station_hook:Access-Request called Thu Mar 9 16:04:27 2006: DEBUG: calling_station_hook:exited Thu Mar 9 16:04:27 2006: INFO: Access rejected for ccsas: AuthBy NTLM Password check failed Thu Mar 9 16:04:27 2006: DEBUG: Converted EAP-MSCHAPV2 response Packet dump: If we turn down the AD auth to use ntlm then authentication works o.k. Running the following script=20 #!/bin/sh /usr/local/samba/bin/ntlm_auth --helper-protocol=3Dntlm-server-1<<EOF Request-User-Session-Key: yes Request-LanMan-Session-Key: yes LANMAN-Challenge: d5fa33d1b1953e0a NT-Response: 9f135b59e47cdfa0c51535d78b57587e3ebfcc6e6a64ae90 NT-Domain:: QURJUi5IVUxMLkFDLlVL Username:: Y2NzYXM=3D .. Also fails and gives the same wrong password message Looking in the /var/log/samba/winbindd log file I see [2006/03/09 16:28:55, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(454) [ 0]: request interface version [2006/03/09 16:28:55, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(487) [ 0]: request location of privileged pipe [2006/03/09 16:28:55, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(519) [ 0]: pam auth crap domain: [ADIR.HULL.AC.UK] user: ccsas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
Linear Mode
