Can't get FreeRADIUS to work with a Samba DC (MSCHAP)
Oleg Blyahher
oleg.blyahher at bluetest.se
Fri Aug 23 13:41:52 CEST 2019
Hi Alan,
Thank you so much for pointing that out.
I guess migrating to a new DC it is...
All the best!
On 2019-08-23 13:22, Alan DeKok wrote:
> On Aug 23, 2019, at 4:16 AM, Oleg Blyahher via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> I understand my issue is not unique. I have a Samba DC running samba 4.6.7 on Ubuntu 16.04. I'm now trying to set up FreeRADIUS 3 (3.0.16) with SMB 4.7.6 on Ubuntu 18.04 to authenticate against the Samba DC.
> That's good.
>
>> Running "radtest aduser password localhost:18120 0 testing123" works.
>>
>> Running "radtest -t mschap aduser password localhost:18120 0 testing123" does not work. I have added this into the smb.conf on both servers:
>>
>> ntlm auth = yes
> That's bad.
>
>> I have been basically following these tutorials:
>> * https://blog.svedr.in/posts/freeradius-peapv0+mschapv2-howto/
> Which looks to be mostly copied from my site.
>
> How do you even find those pages? My site has been up for 15 years, and is pointed to from pretty much everywhere as the definitive guide.
>
>> * http://deployingradius.com/documents/configuration/active_directory.html
>>
>> * https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>>
>> I would also like to add a comment on the fact that I cannot restart smbd on the DC if I put the following line (nothing in the Samba log nor syslog):
>>
>> ntlm auth = mschapv2-and-ntlmv2-only
> See the Samba documentation for how their software works.
>
>> I have also tried to set up a Microsoft Radius server (join it to the same domain), but got the same results ("wrong password"), so I actually suspect there might be something wrong with the Samba DC. Unfortunately, I couldn't find so much information on how the DC should be.
>>
>> Here's my full debug:
>> ...
>> (1) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
>> (1) mschap: External script failed
>> (1) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
>> (1) mschap: ERROR: MS-CHAP2-Response is incorrect
> That's pretty definitive. The ntlm_auth program is returning an error from Samba. No amount of poking FreeRADIUS will fix the problem.
>
> Unfortunately there is very little we can do here. If Samba is refusing to do ntlm, then you have to fix Samba.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list