samba 4.7 AD and freeradius ntlm_auth/winbind

Tue Mar 27 08:03:49 CEST 2018

Hello,

Thank You, I just got similar response on samba mailing list. I can't 
believe I missed this --allow-mschapv2 option for ntlm_auth, and it works.

I couldn't test yet if it works for the pass change too, but that's 
another story and I will test it later on.

W dniu 27.03.2018 o 03:52, Isaac Boukris pisze:
> On Tue, Mar 27, 2018 at 2:36 AM, Kacper Wirski <kacper.wirski at gmail.com> wrote:
>> Hello,
>>
>> I have freeradius 3.0.14 integrated with samba AD DC using ntlm_auth.
>>
>> As of samba 4.7 version, theere is now option to explicitly allow only
>> mschapv2 and disable all other ntlmv1 via smb.conf option
>>
>> ntlm auth = mschpav2-and-ntlmv2-only
>>
>>
>> I've done today some tests, and I have mixed results, and I'm not sure who
>> the "culprit" is.
>>
>> So let's start with what works:
>>
>> on the AD i set
>>
>> ntlm auth = mschpav2-and-ntlmv2-only
>>
>> on the freeradius (with samba 4.6.2 as domain member) in
>>
>> mods-enabled/mschap using winbind method i have put according to the guide
>> in wiki.freeradius.org/active-directory-direct-via-winbind
>>
>> winbind_username = "%{mschap:User-Name}"
>> winbind_domain = "*WINDOWSDOMAIN*"
>>
>> With this setup it works as expected, that is freeradius is able to
>> authenticate via eap-peap AD users, in samba audit_log i clearly see that
>> it's explicitly mschpav2 being used instead of more general "ntlmv1".
>>
>>
>> What boggles my mind is that when i change in mods-enabled/mschap from
>> "winbind" method to traditional "ntlm auth = /path/to/ntlm_auth etc....."
>> I'm getting access-rejects. In samba audit log i see that request is coming
>> using ntlmv1, and with the above smb.conf ntlmv1 (en general) is blocked.
>>
>> As soon, as in smb.conf i change to "ntlm auth = yes" I have everything
>> working, but at the obvious loss of security.
>>
>> I read in this mailing list (I think), that this winbind authentication
>> method also in the end uses ntlm_auth, but there is clearly difference.
>>
>> So my question is: is this something on samba-side that makes actual
>> difference between those two methods, or freeradius for whatever reason
>> doesn't send "proper" mschap2 flag that will be recognized by the samba AD
>> server?
>
> mschap-v2 is ntlm-v1, the only way a DC (win or samba) can make a
> difference between the two (and apply a different policy), is if the
> server tells it so by setting a flag.
> When using libwbclient integration FR sets this flag, when using
> ntlm_auth you can add "--allow-mschapv2" to the cmd to get the same.
>
>> Also a follow up question: is it possible to set "winbind" method for
>> password change in the same way it's used for authentication?
>
> I think currently no.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html