Logins against AD failing in *most* cases. Can see why, but don't*understand* why.

Casartello, Thomas tcasartello at wsc.ma.edu
Tue Dec 8 14:29:47 CET 2009


Just had this same problem myself. Oddly enough with Fedora, the
samba-common package is all that will be installed as a dependency and it
does not include the regular samba services. I could start winbind and even
do ntlm_auth requests, but I was essentially having this same issue where it
would just fail over and over and nothing useful was turning up in the logs.
I then saw this post in the and tried installing the main samba package then
started the smb service before winbind and that fixed it.

Thomas E. Casartello, Jr.
Staff Assistant - Wireless/Linux Administrator
Information Technology
Wilson 105A
Westfield State College

Red Hat Certified Technician (RHCT)


-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org
[mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org
] On Behalf Of Meyers, Dan
Sent: Friday, December 04, 2009 5:42 AM
To: FreeRadius users mailing list
Subject: RE: Logins against AD failing in *most* cases. Can see why, but
don't*understand* why.

>   Given *my* background: I tend to blame everything *other* than
> FreeRADIUS.  If there's a bug, it gets fixed pretty quickly.  That's
> more than you can say for Microsoft.

Finally got it sorted, and it was indeed nothing to do with FreeRADIUS
but was a combination of several factors all related to Samba (posted
here in case anyone else has similar issues in future and thinks it's
FreeRADIUS):

1) We needed to upgrade to a newer version of Samba to be able to talk
to Windows Server 2008 R2 (R2 made some significant changes over
straight 2008, according to our Windows admins, so R1 or straight 2008
might be more lenient) using ntlm_auth (something we did quite early in
the attempt to get it working). We're now on 3.4.3 compiled from source
(3.4.0 in packages for Debian 5.0 didn't seem to work).

2) We needed to change our smb.conf. The config that worked with Server
2003 seems to not work with 2008 R2.

3) (And this was the one that really got me towards the end and caused
me much confusion for the last few days when it sometimes worked and
sometimes didn't): 

You *must* start Samba (i.e. nmbd and smbd) before winbind. If you start
winbind first, then ntlm_auth gives every indication of working
correctly. An ntlm_auth --username=whatever and then giving a password
returns NT_STATUS_OK: Success (0x0). An incorrect password returns
NT_STATUS_WRONG_PASSWORD, so it's evidently talking to the DC OK.
Likewise taking a username, challenge and nt response from a radius
request in debug mode and testing on the command line does return an NT
key like it should. *However* that NT key, which is the same every time
the command is run for a given username, challenge and response, is
*not* the same as the NT key returned for the same username, challenge
and response if you start Samba before winbind. If you start winbind
first, the client will reject the NT key returned. If you start Samba
first, it works fine.

Bit of a noddy error on my part, that one. But if ntlm_auth had actually
given any indication of not being able to talk to the domain I would
have spotted it much sooner. Because all indications were that it was
communicating fine it never occurred to me that the NT key being
returned might be invalid.

Thanks all.



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4191 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091208/3d1d7e66/attachment.bin>


More information about the Freeradius-Users mailing list