Problems with Samba

Klemen forneci forneci at gmail.com
Fri Jun 4 08:56:45 CEST 2021 

Hello.
I've managed to fix or migitate the problem regarding samba.
In the end it was winbind cache timeout, that was causing all the
problems. When it refreshed the cache, normal authentication request
weren't going trough.
In smb.conf i've set "winbind cache time = 86400" (1 day). Still get
the timeout after one day, but if it's doing this at 00.00 it isn't
that much of a problem.

Best regards,
Klemen

V V pet., 28. maj 2021 ob 15:24 je oseba Jorge Pereira
<jpereira at freeradius.org> napisala:
>
> Hi Klemen,
>
> Have you tried to execute manually the ntlm_auth command? It could help you to see that the problem looks to be in the Samba authentication.
>
> e.g:
>
> >  /usr/bin/ntlm_auth --allow-mschapv2
> > --request-nt-key
> > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > --domain=%{%{mschap:NT-Domain}:-THOR}
> > --challenge=%{%{mschap:Challenge}:-00}
> > --nt-response=%{%{mschap:NT-Response}:-00}:
>
> Of course, replace the %{variables} with the proper values.
> --
> Jorge Pereira
> jpereira at freeradius.org
>
>
>
>
> > On 28 May 2021, at 09:44, Klemen forneci <forneci at gmail.com> wrote:
> >
> > Hello.
> > I hope someone can shine a light on my problem with Freeradius 3 and
> > mschap (running on centos7 with samba/winbind)
> > So long story short, I notice that every ~5 minutes there is a problem
> > with NTLM_AUTH. Even with testing with radtest -t mscahp at the same
> > time, I get:
> >
> > (10)   Auth-Type MS-CHAP {
> > (10)     if (Realm == "um.si") {
> > (10)     if (Realm == "um.si")  -> TRUE
> > (10)     if (Realm == "um.si")  {
> > (10) mschap_thor: Client is using MS-CHAPv1 with NT-Password
> > (10) mschap_thor: Executing: /usr/bin/ntlm_auth --allow-mschapv2
> > --request-nt-key
> > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > --domain=%{%{mschap:NT-Domain}:-THOR}
> > --challenge=%{%{mschap:Challenge}:-00}
> > --nt-response=%{%{mschap:NT-Response}:-00}:
> > (10) mschap_thor: EXPAND
> > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > (10) mschap_thor:    --> --username=******
> > (10) mschap_thor: ERROR: No NT-Domain was found in the User-Name
> > (10) mschap_thor: EXPAND --domain=%{%{mschap:NT-Domain}:-THOR}
> > (10) mschap_thor:    --> --domain=THOR
> > (10) mschap_thor: mschap1: 31
> > (10) mschap_thor: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> > (10) mschap_thor:    --> --challenge=316c3b72847b74c7
> > (10) mschap_thor: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> > (10) mschap_thor:    -->
> > --nt-response=273c482ad6ee3eeb8c21239368764a42d66c1b6ca8f0e98e
> > Child PID 5238 is taking too much time: forcing failure and killing child.
> > (10) mschap_thor: ERROR: Failed to read from child output
> > (10) mschap_thor: External script failed
> > (10) mschap_thor: ERROR: External script says:
> > (10) mschap_thor: ERROR: MS-CHAP2-Response is incorrect
> >
> >
> > I know this may not be a radius issue, beause of the fact that
> > in-between the system works as expected and the line: Child PID 5238
> > is taking too much time: forcing failure and killing child, but I have
> > my hopes up someone can point me in the right direction.
> >
> > On the backend there is a Windows AD, multiple DC (tried setting only
> > 1 in samba, same issue), the server is domain joined.
> > I have multiple servers with the same issue (in the same environment)
> >
> > What allso puzzles me, are the logs:
> > Server 1:
> > Fri May 28 14:35:27 2021 : ERROR: (59476) mschap_thor: ERROR: Failed
> > to read from child output
> > Fri May 28 14:35:31 2021 : ERROR: (59508) mschap_loki: ERROR: Failed
> > to read from child output
> > Fri May 28 14:35:35 2021 : ERROR: (59534) mschap_loki: ERROR: Failed
> > to read from child output
> > Fri May 28 14:40:03 2021 : ERROR: (60960) mschap_loki: ERROR: Failed
> > to read from child output
> > Fri May 28 14:40:08 2021 : ERROR: (60993) mschap_loki: ERROR: Failed
> > to read from child output
> > Fri May 28 14:40:12 2021 : ERROR: (61017) mschap_loki: ERROR: Failed
> > to read from child output
> > Fri May 28 14:40:14 2021 : ERROR: (61030) mschap_loki: ERROR: Failed
> > to read from child output
> > Fri May 28 14:40:15 2021 : ERROR: (61040) mschap_loki: ERROR: Failed
> > to read from child output
> >
> > Server 2:
> > Fri May 28 14:38:29 2021 : ERROR: (4) mschap_thor: ERROR: Failed to
> > read from child output
> > Fri May 28 14:38:44 2021 : ERROR: (5) mschap_thor: ERROR: Failed to
> > read from child output
> >
> > It's like a blinker. One works, the other doesnt.
> >
> > Thank you for any tips.
> > Klemen
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list