problems getting ntlm_auth working.

Alan DeKok aland at deployingradius.com
Fri Aug 30 14:21:46 CEST 2019 

On Aug 30, 2019, at 7:55 AM, L.P.H. van Belle via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Offcourse if id read everyting you where saying. 
> And it's all working now.

  Good to hear.

> If you can change one thing to the site's howto then you will never get these questions again. 
> .. Yes i know it is on the site already but, i would suggest you change this part. 
> 
> 'This configuration needs to be set on all participating Samba member(s) and (Samba4) AD-DC server(s).' 

  Done.

> So what did i miss.. Yes, forgot to add to the AD-DC's smb.conf 
> ntlm auth = mschapv2-and-ntlmv2-only
> 
> After setting that, then "it just works" ..  ;-) 
> Pretty stupid of me.. I wont argue that.. 

  Complex systems are complex, and are difficult to get right.  Admitting mistakes is even harder. :)

  My evident frustration in many posts is really due to giving advice, and then (essentially) getting told to go F myself.

> Just twoo more questions. 
> 1) 
> We can authenticate 3 ways. 
> username 
> username at REALM
> NTDOM\username

  From the point of view of FreeRADIUS, they're all identical.  Some string is being used as the User-Name.  That same string is being used in the MS-CHAP calculations.

  However, a possibly *different* string is being used to look up users in a database.

  That's why we make a clear distinction between User-Name (what the user entered), and Stripped-User-Name (what we use for database lookups as the users identity).

  We *can't* mangle User-Name, because it breaks things like MS-CHAP.  We also can't use User-Name for DB lookups, because it contains things like domain names, which generally aren't in the DB.

> If running freeradius on AD-DC. 
> where : winbind use default domain = yes is not working on AD-DC. 
> See output of wbinfo -u  

  Not attached...

> You can login with : username or NTDOM\username. 
> test : radtest -t mschap 'NTDOM\username' 'password' localhost 0 testing123
> test : radtest -t mschap 'username' 'password' localhost 0 testing123
> 
> If running freeradius on AD-Member
> where : winbind use default domain = yes is working. 
> See output of wbinfo -u 
> 
> You can login with : username or username at REALM 
> test : radtest -t mschap 'username' 'password' localhost 0 testing123
> test : radtest -t mschap 'username at REALM' 'password' localhost 0 testing123

  Why do some things work and others don't?  Maybe the wrong things are getting passed from FreeRADIUS to ntlm_auth.  But maybe not.  Again, the command-lines are printed out so that you can use them to test without running a full RADIUS stack.

 But winbind doesn't work, that's a Samba / AD thing.  There are magical things there which I don't understand.  It's been 15 years since I was tangentially involved in Samba4 development.

> What is the best way to handle all 3 types? 
> Im really new with freeradius, im trying to understand the configs, but thats not done in a sec. 

  Generally speaking, punt on the problem.  Hand those strings to something else, and let it do the work.

  Or, use a database that returns the "known good" password to FreeRADIUS, and let FreeRADIUS do the work.  While FreeRADIUS is complex, it isn't *stupid*.  You can make it do pretty much anything you want.  And the debug output shows you exactly what it's doing, and why.

  Contrast that to "helpful" commercial tools.  Often the best error they produce is "failed".  <sigh>  It's like they have a pathological hatred for their customers, and a deep-seated terror of giving the customer any useful information.

> 2) Do note on the REALM. 
> I notice, and maybe you can verify this. 
> 
> If realm is set as : 
> [libdefaults]
>        default_realm = internal.domain.tld 
> 
> Trying to login with : username at INTERNAL.DOMAIN.TLD does not work. 
> You must match CAPS/non-caps in REALM, dorrect? 

  That's really a Samba thing, and I have absolutely no clue about it.

  I would *hope* that it's not case sensitive.

> Or can we handle this in the config? 

  Maybe.  It's possible in FreeRADIUS to lowercase the domain, and pass that to ntlm_auth.  The issue is that the MS-CHAP calculations are done using the name *as entered by the user*.

  So if Samba doesn't get passed that *exact string*, then it's impossible to do the same MS-CHAP calculations, and it's impossible to authenticate the user.

> But thank you for your responces so far. 

  You're welcome.  It's what I do.

  Alan DeKok.

More information about the Freeradius-Users mailing list