Hello If someone who has a working freeradius samba ntlm_auth AD 2008 setup could let me know which version of samba they are using and which patches it might help me a great deal. I have a working configuration freeradius + samba 3.0.37 + Active Directory 2003. Our Active Directory servers are in the process of moving to 2008 and the 3.0.37 does not return the correct/same keys when looking at a upgraded AD server. I have it pointed to our last AD 2003 server and it work there. I've setup samba 3.4.8 with the patch https://bugzilla.samba.org/attachment.cgi?id=5894 (which needed a little changing to match line number changes). The session keys (if thats what they are) returned by running ntlm_auth on the 2 setups are different (I've put a wrapper script around it so that I can catch them being returned). If I run ntlm_auth repeatedly with the same challenge and nt-response the ones returned by the broken setup seem to change every few minutes whereas the working one stays the same. Thanks in advance, Neil Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplian...
Hi,
If someone who has a working freeradius samba ntlm_auth AD 2008 setup could let me know which version of samba they are using and which patches it might help me a great deal.
I have a working configuration freeradius + samba 3.0.37 + Active Directory 2003.
we moved to 2008 last year and kept exactly the same FR/samba setup - ie 3.0.x with no issue. using default CentOS supplied RPM (for SAMBA - we homebuild the FreeRADIUS from source). alan
Hello Alan, Thanks for that it does seem my setup works. I've added "winbind use default domain = yes" to my smb.conf which now reads [global] workgroup = DOMAIN realm = DOMAIN.AC.UK server string = Samba Server Version %v security = ADS password server = adn.domain.ac.uk winbind use default domain = yes Is your config similar? Neil On 13/09/10 17:41, Alan Buxey wrote:
Hi,
If someone who has a working freeradius samba ntlm_auth AD 2008 setup could let me know which version of samba they are using and which patches it might help me a great deal.
I have a working configuration freeradius + samba 3.0.37 + Active Directory 2003.
we moved to 2008 last year and kept exactly the same FR/samba setup - ie 3.0.x with no issue. using default CentOS supplied RPM (for SAMBA - we homebuild the FreeRADIUS from source).
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplian...
Hi,
Thanks for that it does seem my setup works. I've added "winbind use default domain = yes" to my smb.conf which now reads
[global] workgroup = DOMAIN realm = DOMAIN.AC.UK server string = Samba Server Version %v security = ADS password server = adn.domain.ac.uk winbind use default domain = yes
Is your config similar?
fairly. [global] workgroup = WORKGROUP winbind use default domain = no realm = WORKGROUP.REALM preferred master = no local master = no domain master = no server string = RADIUS SERVER STRING security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 winbind separator = + we feed the actual domain in via the ntlm_auth line - as we have several domains and an AD forest....which is nice (cough). alan
Hello, Well things have taken a turn for the worse. At the weekend we upgraded the last AD Domain controller to 2008r2 (still in AD2003 mode) and the radius servers instantly stopped working with "named pipe disconnected" and now "ntlm --username" and "wbinfo -a" no longer work. I have a samba 3.4 install which 'works' from the "ntlm --username" and "wbinfo -a" point of view but which, I strongly suspect, returns incorrect NT_KEYs. (the reason I suspect this is that the previous servers always returned the same value and that value matches the output of the python script attached to https://bugzilla.samba.org/show_bug.cgi?id=6563) I've spent the best part of the day bang head on wall so I thought I'd ask a thing Would the KEY changing every few minutes be expected? (under samba3.0/ad2003 it remained the same) By key I mean the output of "/usr/local/samba/bin/ntlm_auth --request-nt-key --username=bob --challenge=deadshortbeef --nt-response=deadlongerbeef" If no one has seen things like this I'll move over to the samba lists, getting the feeling this issue belongs there. Thanks all, Neil Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplian...
Have you tried disjoining and rejoining the domain after the upgrade? It sounds crazy but I have seen similar problems fixed this way. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.o rg] On Behalf Of Neil Prockter Sent: Monday, September 20, 2010 11:29 AM To: freeradius-users@lists.freeradius.org Subject: Re: which samba version / patch for Active Directory 2008 Hello, Well things have taken a turn for the worse. At the weekend we upgraded the last AD Domain controller to 2008r2 (still in AD2003 mode) and the radius servers instantly stopped working with "named pipe disconnected" and now "ntlm --username" and "wbinfo -a" no longer work. I have a samba 3.4 install which 'works' from the "ntlm --username" and "wbinfo -a" point of view but which, I strongly suspect, returns incorrect NT_KEYs. (the reason I suspect this is that the previous servers always returned the same value and that value matches the output of the python script attached to https://bugzilla.samba.org/show_bug.cgi?id=6563) I've spent the best part of the day bang head on wall so I thought I'd ask a thing Would the KEY changing every few minutes be expected? (under samba3.0/ad2003 it remained the same) By key I mean the output of "/usr/local/samba/bin/ntlm_auth --request-nt-key --username=bob --challenge=deadshortbeef --nt-response=deadlongerbeef" If no one has seen things like this I'll move over to the samba lists, getting the feeling this issue belongs there. Thanks all, Neil Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComp lianceTeam/legal/disclaimer.htm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 09/20/2010 05:29 PM, Neil Prockter wrote:
Would the KEY changing every few minutes be expected? (under samba3.0/ad2003 it remained the same) By key I mean the output of "/usr/local/samba/bin/ntlm_auth --request-nt-key --username=bob --challenge=deadshortbeef --nt-response=deadlongerbeef"
No. For a given challenge, username and password the response is the same every time.
Neil Prockter wrote:
Well things have taken a turn for the worse. At the weekend we upgraded the last AD Domain controller to 2008r2 (still in AD2003 mode) and the radius servers instantly stopped working with "named pipe disconnected" and now "ntlm --username" and "wbinfo -a" no longer work.
That's a Samba problem, unfortunately... Alan DeKok.
On 21/09/10 08:57, Alan DeKok wrote:
Neil Prockter wrote:
Well things have taken a turn for the worse. At the weekend we upgraded the last AD Domain controller to 2008r2 (still in AD2003 mode) and the radius servers instantly stopped working with "named pipe disconnected" and now "ntlm --username" and "wbinfo -a" no longer work.
That's a Samba problem, unfortunately...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks to all for your help. I applied the patch from https://bugzilla.samba.org/show_bug.cgi?id=7568 to samba 3.5.5. and all is well. This patch is to be included in next 3.4 and 3.5 releases so hopefully no one else will suffer the same head banging against wall confusion. Neil Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplian...
participants (5)
-
Alan Buxey -
Alan DeKok -
Neil Prockter -
Phil Mayers -
Sallee, Stephen (Jake)