Problem with ntlm_auth between freeradius 3.0 and Samba 4 AD

Benjamin DUPALUT benjamin.dupalut at esiee.fr
Thu Jul 5 10:06:02 CEST 2018 

​Hi all,

Thanks a lot for your help.


*@Alan Dekok :*

> >   You are not following the instructions on the web page.
> >
> >   You've added a "(0)" after the string expansions.  Why?
> >
> >   e.g. --password=%{User-Password}(0)
> >
> >   What's that?  Why are you going out of your way to do things which the
> > instructions say not to do?
> >
> >   Please follow the instructions.  If you do that, you WILL get it
> working.

I didn't added the "(0)" expression. I think when you copy/paste my
freeradius -X output, the sequence number "(0)" move form the beginning of
one line the the end of another.



*@ Alan ​Buxey :*
> you're using mschap:User-Name  in the ntlm_auth - which will be the value
> provided by the client - rather than the
> value which is handled in logic, change that to " and it
> will be the stripped value you want.

I changed to "Stripped-User-Name" and it works now !!












*ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key
--domain=lan.esiee.fr <http://lan.esiee.fr>
--username=%{Stripped-User-Name} --password=%{User-Password}:ntlm_auth:
EXPAND --username=%{Stripped-User-Name}ntlm_auth:    -->
--username=userntlm_auth: EXPAND --password=%{User-Password}ntlm_auth:
--> --password=passwordntlm_auth: Program returned code (0) and output
'NT_STATUS_OK: Success (0x0)'ntlm_auth: Program executed successfully
[ntlm_auth] = ok   } # authenticate = ok**@ ​Elias Pereira*
* :*





*​In your smb.conf you configured the variable "ntlm auth =
mschapv2-and-ntlmv2-only" or "ntlm auth = yes". Via kerberos is more secure
than ntlm.*
Exact, on my PDC i got the "ntlm auth = yes" on the smb.conf.

Can you, please, recommend some documentations about kerberos method ?

​Regards,

*Benjamin Dupalut*
Administrateur système et réseau
Service des Moyens Informatiques Généraux (SMIG)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupalut at esiee.fr
www.esiee.fr / www.cci-paris-idf.fr


Le jeu. 5 juil. 2018 à 04:21,
​​
Elias Pereira <empbilly at gmail.com> a écrit :

> ​​
> In your smb.conf you configured the variable "ntlm auth =
> mschapv2-and-ntlmv2-only" or "ntlm auth = yes".
>
> Via kerberos is more secure than ntlm.
>
> On Wed, Jul 4, 2018 at 7:18 PM Alan
> ​​
> Buxey <alan.buxey at gmail.com> wrote:
>
> ​​
> > you're using mschap:User-Name  in the ntlm_auth - which will be the value
> > provided by the client - rather than the
> > value which is handled in logic, change that to Stripped-User-Name and it
> > will be the stripped value you want.
> >
> > alan
> >
> > On 4 July 2018 at 16:44, Alan DeKok <aland at deployingradius.com> wrote:
> >
> > > On Jul 4, 2018, at 4:29 AM, Benjamin DUPALUT <
> benjamin.dupalut at esiee.fr>
> > > wrote:
> > > > Thank you for your answer.​
> > > >
> > > > Now i got an other issue :
> > > >
> > > > #radtest user at esiee.fr password localhost 0 testing123
> > > >
> > > > #freeradius -X
> > > ...
> > > > *(0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key
> > > > --domain=lan.esiee.fr <http://lan.esiee.fr>
> > > --username=%{mschap:User-Name}
> > > > --password=%{User-Password}:(0) ntlm_auth: EXPAND
> > > > --username=%{mschap:User-Name}(0) ntlm_auth:    -->
> > > > --username=user at esiee.fr <user at esiee.fr>(0) ntlm_auth: EXPAND
> > > > --password=%{User-Password}(0) ntlm_auth:    -->
> --password=password(0)
> > >
> ​​
> > >   You are not following the instructions on the web page.
> > >
> > >   You've added a "(0)" after the string expansions.  Why?
> > >
> > >   e.g. --password=%{User-Password}(0)
> > >
> > >   What's that?  Why are you going out of your way to do things which
> the
> > > instructions say not to do?
> > >
> > >   Please follow the instructions.  If you do that, you WILL get it
> > working.
> > >
> > >   Alan DeKok.
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > > list/users.html
> > >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>
> --
> Elias Pereira
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list