Users randomly rejected when no connection with remote domain controllers
Hi all, My institution has multiple AD domain controllers, one for each campus, all of them respond for the same domain and connect to each other through internet using a vpn. One of the servers is located in my campus and freeradius authenticates directly against this server. When the vpn is up, everything works as it should but when the vpn is down, users sometimes can't authenticate. This seems to be random, users authenticate normally then suddenly can't and suddenly can again. When they are rejected I see this in debug: ... (2535) mschap: --> --username=gloriasantos (2535) mschap: Creating challenge hash with username: gloriasantos (2535) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (2535) mschap: --> --challenge=2aa82edbd744104d (2535) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (2535) mschap: --> --nt-response=7c9a6934a7363630b270dddeb82ad6f347a54a1ff9fc768c Child PID 64739 is taking too much time: forcing failure and killing child. (2535) mschap: ERROR: Failed to read from child output (2535) mschap: External script failed (2535) mschap: ERROR: External script says: (2535) mschap: ERROR: MS-CHAP2-Response is incorrect (2535) eap_mschapv2: [mschap] = reject ... And at this moment, if I try the command "ntlm_auth --username=user --password=pass" it takes more time than it should and then succeds. The pid 64739 is ntlm_auth I think. Everything in freeradius, samba, and dns configuration points to the local active directory domain controller, but it seems that when vpn is down something is still trying to contact the remote domain controllers (which are unavailable). Any ideas of what might be happening? Feel free to ask for needed configuration. Freeradius 3.2.1 Samba 4.17.9-Debian
On Sep 4, 2024, at 10:23 AM, Rodrigo Abrantes Antunes <rodrigoantunes@ifsul.edu.br> wrote:
My institution has multiple AD domain controllers, one for each campus, all of them respond for the same domain and connect to each other through internet using a vpn.
One of the servers is located in my campus and freeradius authenticates directly against this server.
When the vpn is up, everything works as it should but when the vpn is down, users sometimes can't authenticate.
The domain controllers are giving LDAP referrals to systems on the other side of the VPN. When the VPN is down, those systems are unreachable.
Any ideas of what might be happening?
You need to reconfigure the local Active Directory servers to have copies of all of the relevant information, so that they don't give referrals to machines across the VPN. This usually means making the local AD server a global catalog server. That's all Active Directory magic which I try hard to avoid, so I don't have much advice other than that. Alan DeKok.
Citando Alan DeKok <aland@deployingradius.com>:
The domain controllers are giving LDAP referrals to systems on the other side of the VPN. When the VPN is down, those systems are unreachable.
Wouldn't this prevent the users from authenticate at all when VPN is down? Most of the time they can authenticate, but sometimes are rejected in a batch and then can authenticate again
You need to reconfigure the local Active Directory servers to have copies of all of the relevant information, so that they don't give referrals to machines across the VPN. This usually means making the local AD server a global catalog server.
I am not the domain admin. All the campuses have the same AD server configuration as mine, the main campus IT staff gave us these servers already configured and we can't even login in them. A thing to mention is that other campuses uses NPS or ISE as NAC and don't have this problem when VPN is down. My campus is the only one using freeradius, that's why I thought that this could be a configuration error in my freeradius. Thanks.
On Sep 6, 2024, at 8:42 AM, Rodrigo Abrantes Antunes <rodrigoantunes@pelotas.ifsul.edu.br> wrote:
Citando Alan DeKok <aland@deployingradius.com>:
The domain controllers are giving LDAP referrals to systems on the other side of the VPN. When the VPN is down, those systems are unreachable.
Wouldn't this prevent the users from authenticate at all when VPN is down? Most of the time they can authenticate, but sometimes are rejected in a batch and then can authenticate agai
Put it down to "magic in Active Directory". Whatever is gong on, the results are clear: this isn't FreeRADIUS. FreeRADIUS uses ntlm_auth to talk to Samba, and Samba talks with Active Directory. When something goes wrong, the problem is in ntlm_auth / Samba / Active Directory. No amount of poking FreeRADIUS will fix this issue. If the issue is that Active Directory malfunctions when the VPN is down, then the solution is simple: a) keep the VPN up b) fix Active Directory so that it doesn't break when the VPN goes down.
I am not the domain admin. All the campuses have the same AD server configuration as mine, the main campus IT staff gave us these servers already configured and we can't even login in them.
A thing to mention is that other campuses uses NPS or ISE as NAC and don't have this problem when VPN is down.
Then the issue is either Samba or AD.
My campus is the only one using freeradius, that's why I thought that this could be a configuration error in my freeradius.
There is no configuration in FreeRADIUS which says "make ntlm_auth fail when the VPN is down". Alan DeKok.
Citando Alan DeKok <aland@deployingradius.com>:
Whatever is gong on, the results are clear: this isn't FreeRADIUS. FreeRADIUS uses ntlm_auth to talk to Samba, and Samba talks with Active Directory. When something goes wrong, the problem is in ntlm_auth / Samba / Active Directory.
Then the issue is either Samba or AD.
So maybe there is a misconfiguration in ntlm_auth or Samba? Could someone help me check the configuration? Or maybe check trust relationships, etc... My freeradius server needs to be a domain member do authenticate against AD, the user I used to add it to the domain would influence in this? What about the user I use in the ldap module? Heres is my config, 10.1.0.3 (adm.ifsul.edu.br) is my domain controller and dns server, I don't use krb5.conf (should I?). #### mods-enable/ntlm_auth (everything else is commented) exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=ADM --username=%{mschap:User-Name} --password=%{User-Password}" } #### mods-enable/mschap (everything else is commented) mschap { ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" } #### resol.conf nameserver 10.1.0.3 #### samba # Global parameters [global] abort shutdown script = add group script = additional dns hostnames = add machine script = addport command = addprinter command = add share command = add user script = add user to group script = afs token lifetime = 604800 afs username map = aio max threads = 100 algorithmic rid base = 1000 allow dcerpc auth level connect = No allow dns updates = secure only allow insecure wide links = No allow nt4 crypto = No allow trusted domains = Yes allow unsafe cluster upgrade = No apply group policies = No async dns timeout = 10 async smb echo handler = No auth event notification = No auto services = binddns dir = /var/lib/samba/bind-dns bind interfaces only = No browse list = Yes cache directory = /var/cache/samba change notify = Yes change share command = check password script = cldap port = 389 client ipc max protocol = default client ipc min protocol = default client ipc signing = default client lanman auth = No client ldap sasl wrapping = seal client max protocol = default client min protocol = SMB2_02 client NTLMv2 auth = Yes client plaintext auth = No client protection = default client schannel = Yes client signing = default client smb encrypt = default client smb3 encryption algorithms = AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM client smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC, HMAC-SHA256 client use kerberos = desired client use spnego principal = No client use spnego = Yes cluster addresses = clustering = No config backend = file config file = create krb5 conf = Yes ctdbd socket = ctdb locktime warn threshold = 0 ctdb timeout = 0 cups connection timeout = 30 cups encrypt = No cups server = dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver deadtime = 10080 debug class = No debug encryption = No debug hires timestamp = Yes debug pid = No debug prefix timestamp = No debug syslog format = No winbind debug traceid = No debug uid = No dedicated keytab file = default service = defer sharing violations = Yes delete group script = deleteprinter command = delete share command = delete user from group script = delete user script = dgram port = 138 disable netbios = No disable spoolss = No dns forwarder = dns port = 53 dns proxy = Yes dns update command = /usr/sbin/samba_dnsupdate dns zone scavenging = No dns zone transfer clients allow = dns zone transfer clients deny = domain logons = No domain master = Auto dos charset = CP850 dsdb event notification = No dsdb group change notification = No dsdb password event notification = No enable asu support = No enable core files = Yes enable privileges = Yes encrypt passwords = Yes enhanced browsing = Yes enumports command = eventlog list = get quota command = getwd cache = Yes gpo update command = /usr/sbin/samba-gpupdate guest account = nobody host msdfs = Yes hostname lookups = No idmap backend = tdb idmap cache time = 604800 idmap gid = idmap negative cache time = 120 idmap uid = include system krb5 conf = Yes init logon delay = 100 init logon delayed hosts = interfaces = iprint server = kdc default domain supported enctypes = 0 kdc enable fast = Yes kdc force enable rc4 weak session keys = No kdc supported enctypes = 0 keepalive = 300 kerberos encryption types = all kerberos method = default kernel change notify = Yes kpasswd port = 464 krb5 port = 88 lanman auth = No large readwrite = Yes ldap admin dn = ldap connection timeout = 2 ldap debug level = 0 ldap debug threshold = 10 ldap delete dn = No ldap deref = auto ldap follow referral = Auto ldap group suffix = ldap idmap suffix = ldap machine suffix = ldap max anonymous request size = 256000 ldap max authenticated request size = 16777216 ldap max search request size = 256000 ldap page size = 1000 ldap passwd sync = no ldap replication sleep = 1000 ldap server require strong auth = Yes ldap ssl = start tls ldap suffix = ldap timeout = 15 ldap user suffix = lm announce = Auto lm interval = 60 load printers = Yes local master = Yes lock directory = /run/samba lock spin time = 200 log file = /var/log/samba/log.%m logging = file log level = 1 log nt token command = logon drive = logon home = \\%N\%U logon path = \\%N\%U\profile logon script = log writeable files on exit = No lpq cache time = 30 lsa over netlogon = No machine password timeout = 604800 mangle prefix = 1 mangling method = hash2 map to guest = Bad User max disk size = 0 max log size = 1000 max mux = 50 max open files = 16384 max smbd processes = 0 max stat cache size = 512 max ttl = 259200 max wins ttl = 518400 max xmit = 16644 mdns name = netbios message command = min domain uid = 1000 min receivefile size = 0 min wins ttl = 21600 mit kdc command = multicast dns register = Yes name cache timeout = 660 name resolve order = lmhosts wins host bcast nbt client socket address = 0.0.0.0 nbt port = 137 ncalrpc dir = /run/samba/ncalrpc netbios aliases = netbios name = IFS01SV004 netbios scope = neutralize nt4 emulation = No nmbd bind explicit broadcast = Yes nsupdate command = /usr/bin/nsupdate -g nt hash store = always ntlm auth = ntlmv2-only nt pipe support = Yes ntp signd socket directory = /var/lib/samba/ntp_signd nt status support = Yes null passwords = No obey pam restrictions = Yes old password allowed period = 60 oplock break wait time = 0 os2 driver map = os level = 20 pam password change = Yes panic action = /usr/share/samba/panic-action %d passdb backend = tdbsam passdb expand explicit = No passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd chat debug = No passwd chat timeout = 2 passwd program = /usr/bin/passwd %u password hash gpg key ids = password hash userPassword schemes = password server = * perfcount module = pid directory = /run/samba preferred master = Auto prefork backoff increment = 10 prefork children = 4 prefork maximum backoff = 120 preload modules = printcap cache time = 750 printcap name = private dir = /var/lib/samba/private raw NTLMv2 auth = No read raw = Yes realm = ADM.IFSUL.EDU.BR registry shares = No reject md5 clients = Yes reject md5 servers = Yes remote announce = remote browse sync = rename user script = require strong key = Yes reset on zero vc = No restrict anonymous = 0 root directory = rpc big endian = No rpc server dynamic port range = 49152-65535 rpc server port = 0 rpc start on demand helpers = Yes samba kcc command = /usr/sbin/samba_kcc security = ADS server max protocol = SMB3 server min protocol = SMB2_02 server multi channel support = Yes server role = standalone server server schannel = Yes server schannel require seal = Yes server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns server signing = default server smb3 encryption algorithms = AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM server smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC, HMAC-SHA256 server string = Samba 4.17.9-Debian set primary group script = set quota command = show add printer wizard = Yes shutdown script = smb1 unix extensions = Yes smb2 disable lock sequence checking = No smb2 disable oplock break retry = No smb2 leases = Yes smb2 max credits = 8192 smb2 max read = 8388608 smb2 max trans = 8388608 smb2 max write = 8388608 smbd profiling level = off smb passwd file = /etc/samba/smbpasswd smb ports = 445 139 socket options = TCP_NODELAY spn update command = /usr/sbin/samba_spnupdate stat cache = Yes state directory = /var/lib/samba svcctl list = syslog = 1 syslog only = No template homedir = /home/%D/%U template shell = /bin/false time server = No timestamp logs = Yes tls cafile = tls/ca.pem tls certfile = tls/cert.pem tls crlfile = tls dh params file = tls enabled = Yes tls keyfile = tls/key.pem tls priority = NORMAL:-VERS-SSL3.0 tls verify peer = as_strict_as_possible unicode = Yes unix charset = UTF-8 unix password sync = Yes use mmap = Yes username level = 0 username map = username map cache time = 0 username map script = usershare allow guests = Yes usershare max shares = 100 usershare owner only = Yes usershare path = /var/lib/samba/usershares usershare prefix allow list = usershare prefix deny list = usershare template share = utmp = No utmp directory = winbind cache time = 300 winbindd socket directory = /run/samba/winbindd winbind enum groups = No winbind enum users = No winbind expand groups = 0 winbind max clients = 200 winbind max domain connections = 1 winbind nested groups = Yes winbind normalize names = No winbind nss info = template winbind offline logon = No winbind reconnect delay = 30 winbind refresh tickets = No winbind request timeout = 60 winbind rpc only = No winbind scan trusted domains = No winbind sealed pipes = Yes winbind separator = \ winbind use default domain = No winbind use krb5 enterprise principals = Yes wins hook = wins proxy = No wins server = wins support = No workgroup = ADM write raw = Yes wtmp directory = idmap config * : backend = tdb access based share enum = No acl allow execute always = No acl check permissions = Yes acl flag inherited canonicalization = Yes acl group control = No acl map full control = Yes administrative share = No admin users = afs share = No aio read size = 1 aio write behind = aio write size = 1 allocation roundup size = 0 available = Yes blocking locks = Yes block size = 1024 browseable = Yes case sensitive = Auto check parent directory delete on close = No comment = copy = create mask = 0744 csc policy = manual cups options = default case = lower default devmode = Yes delete readonly = No delete veto files = No dfree cache time = 0 dfree command = directory mask = 0755 directory name cache size = 100 dmapi support = No dont descend = dos filemode = No dos filetime resolution = No dos filetimes = Yes durable handles = Yes ea support = Yes fake directory create times = No fake oplocks = No follow symlinks = Yes smbd force process locks = No force create mode = 0000 force directory mode = 0000 force group = force printername = No force unknown acl user = No force user = fstype = NTFS guest ok = No guest only = No hide dot files = Yes hide files = hide new files timeout = 0 hide special files = No hide unreadable = No hide unwriteable files = No honor change notify privilege = No hosts allow = hosts deny = include = inherit acls = No inherit owner = no inherit permissions = No invalid users = kernel oplocks = No kernel share modes = No level2 oplocks = Yes locking = Yes lppause command = lpq command = %p lpresume command = lprm command = magic output = magic script = mangled names = illegal mangling char = ~ map acl inherit = No map archive = Yes map hidden = No map readonly = no map system = No max connections = 0 max print jobs = 1000 max reported print jobs = 0 min print space = 0 msdfs proxy = msdfs root = No msdfs shuffle referrals = No nt acl support = Yes ntvfs handler = unixuid, default oplocks = Yes path = posix locking = Yes postexec = preexec = preexec close = No preserve case = Yes printable = No print command = printer name = printing = cups printjob username = %U print notify backchannel = No queuepause command = queueresume command = read list = read only = Yes root postexec = root preexec = root preexec close = No server smb encrypt = default short preserve case = Yes smbd async dosmode = No smbd getinfo ask sharemode = Yes smbd max async dosmode = 0 smbd max xattr size = 65536 smbd search ask sharemode = Yes spotlight = No spotlight backend = noindex store dos attributes = Yes strict allocate = No strict locking = Auto strict rename = No strict sync = Yes sync always = No use client driver = No use sendfile = No valid users = veto files = veto oplock files = vfs objects = volume = volume serial number = -1 wide links = No write list = [homes] browseable = No comment = Home Directories create mask = 0700 directory mask = 0700 valid users = %S [printers] browseable = No comment = All Printers create mask = 0700 path = /var/tmp printable = Yes [print$] comment = Printer Drivers path = /var/lib/samba/printers
On Sep 6, 2024, at 10:03 AM, Rodrigo Abrantes Antunes <rodrigoantunes@pelotas.ifsul.edu.br> wrote:
Citando Alan DeKok <aland@deployingradius.com>:
Whatever is gong on, the results are clear: this isn't FreeRADIUS. FreeRADIUS uses ntlm_auth to talk to Samba, and Samba talks with Active Directory. When something goes wrong, the problem is in ntlm_auth / Samba / Active Directory.
Then the issue is either Samba or AD.
So maybe there is a misconfiguration in ntlm_auth or Samba? Could someone help me check the configuration? Or maybe check trust relationships, etc...
It's difficult to see how this is a configuration issue. The fact that things break when the VPN goes down means that the issue is the VPN going down. Either Samba is breaking, or Active Directory is breaking. Alan DeKok.
Citando Alan DeKok <aland@deployingradius.com>:
It's difficult to see how this is a configuration issue. The fact that things break when the VPN goes down means that the issue is the VPN going down.
Either Samba is breaking, or Active Directory is breaking.
VPN can go down for a lot of reasons, when our internet link is down, when the main campus internet link is down, when something between the two cities are down. We don't want to depend on remote servers to authenticate users, thats why we have a local domain server. All the other campus works with their local domain controllers and Microsoft NPS or Cisco ISE, and all the campus have the same AD config as ours. The only difference is that we use freeradius and samba, you said there is nothing in freeradius that could affect this so there must be something in samba. I think I will post this issue in samba lists then. Thanks for the help.
participants (3)
-
Alan DeKok -
Rodrigo Abrantes Antunes -
Rodrigo Abrantes Antunes