samba 4.7 AD and freeradius ntlm_auth/winbind

Isaac Boukris iboukris at gmail.com
Tue Mar 27 03:52:34 CEST 2018


On Tue, Mar 27, 2018 at 2:36 AM, Kacper Wirski <kacper.wirski at gmail.com> wrote:
> Hello,
>
> I have freeradius 3.0.14 integrated with samba AD DC using ntlm_auth.
>
> As of samba 4.7 version, theere is now option to explicitly allow only
> mschapv2 and disable all other ntlmv1 via smb.conf option
>
> ntlm auth = mschpav2-and-ntlmv2-only
>
>
> I've done today some tests, and I have mixed results, and I'm not sure who
> the "culprit" is.
>
> So let's start with what works:
>
> on the AD i set
>
> ntlm auth = mschpav2-and-ntlmv2-only
>
> on the freeradius (with samba 4.6.2 as domain member) in
>
> mods-enabled/mschap using winbind method i have put according to the guide
> in wiki.freeradius.org/active-directory-direct-via-winbind
>
> winbind_username = "%{mschap:User-Name}"
> winbind_domain = "*WINDOWSDOMAIN*"
>
> With this setup it works as expected, that is freeradius is able to
> authenticate via eap-peap AD users, in samba audit_log i clearly see that
> it's explicitly mschpav2 being used instead of more general "ntlmv1".
>
>
> What boggles my mind is that when i change in mods-enabled/mschap from
> "winbind" method to traditional "ntlm auth = /path/to/ntlm_auth etc....."
> I'm getting access-rejects. In samba audit log i see that request is coming
> using ntlmv1, and with the above smb.conf ntlmv1 (en general) is blocked.
>
> As soon, as in smb.conf i change to "ntlm auth = yes" I have everything
> working, but at the obvious loss of security.
>
> I read in this mailing list (I think), that this winbind authentication
> method also in the end uses ntlm_auth, but there is clearly difference.
>
> So my question is: is this something on samba-side that makes actual
> difference between those two methods, or freeradius for whatever reason
> doesn't send "proper" mschap2 flag that will be recognized by the samba AD
> server?


mschap-v2 is ntlm-v1, the only way a DC (win or samba) can make a
difference between the two (and apply a different policy), is if the
server tells it so by setting a flag.
When using libwbclient integration FR sets this flag, when using
ntlm_auth you can add "--allow-mschapv2" to the cmd to get the same.

> Also a follow up question: is it possible to set "winbind" method for
> password change in the same way it's used for authentication?


I think currently no.


More information about the Freeradius-Users mailing list