problems getting ntlm_auth working.

Fri Aug 30 17:43:07 CEST 2019

Hai Alan, 

> -----Oorspronkelijk bericht-----
> Van: Alan DeKok [mailto:aland at deployingradius.com] 
> Verzonden: vrijdag 30 augustus 2019 14:22
> Aan: FreeRadius users mailing list
> CC: L.P.H. van Belle
> Onderwerp: Re: problems getting ntlm_auth working.
> 
> On Aug 30, 2019, at 7:55 AM, L.P.H. van Belle via 
> Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> > Offcourse if id read everyting you where saying. 
> > And it's all working now.
> 
>   Good to hear.
> 
> > If you can change one thing to the site's howto then you 
> will never get these questions again. 
> > .. Yes i know it is on the site already but, i would 
> suggest you change this part. 
> > 
> > 'This configuration needs to be set on all participating 
> Samba member(s) and (Samba4) AD-DC server(s).' 
> 
>   Done.

Great, i hope this helps you also in reducing "unneeded" questions. 
I googled around a there are a lot of people that where missing that part. 
Me included. 

> 
> > So what did i miss.. Yes, forgot to add to the AD-DC's smb.conf 
> > ntlm auth = mschapv2-and-ntlmv2-only
> > 
> > After setting that, then "it just works" ..  ;-) 
> > Pretty stupid of me.. I wont argue that.. 
> 
>   Complex systems are complex, and are difficult to get 
> right.  Admitting mistakes is even harder. :)

Well, we are all human, we are not robots.. Humans are allowed to make misstakes.. Robots not. 
It just all about how we handle them.

> 
>   My evident frustration in many posts is really due to 
> giving advice, and then (essentially) getting told to go F myself.

Well, if i make it look like that or feal like that, then, please accept my deepst apolegies. 
I know/understand your frustration totaly, we get these sometimes also on the samba list.

> 
> > Just twoo more questions. 
> > 1) 
> > We can authenticate 3 ways. 
> > username 
> > username at REALM
> > NTDOM\username
> 
>   From the point of view of FreeRADIUS, they're all 
> identical.  Some string is being used as the User-Name.  That 
> same string is being used in the MS-CHAP calculations.
> 
>   However, a possibly *different* string is being used to 
> look up users in a database.
> 
>   That's why we make a clear distinction between User-Name 
> (what the user entered), and Stripped-User-Name (what we use 
> for database lookups as the users identity).
> 
>   We *can't* mangle User-Name, because it breaks things like 
> MS-CHAP.  We also can't use User-Name for DB lookups, because 
> it contains things like domain names, which generally aren't 
> in the DB.

O, so i played a bit around with the settings and resulting now in. 
username 
username at REALM
username at realm 
NTDOM\username

All work fine now. 

> 
> > If running freeradius on AD-DC. 
> > where : winbind use default domain = yes is not working on AD-DC. 
> > See output of wbinfo -u  
> 
>   Not attached...  ( * NTDOM\username  ) 
> 
> > You can login with : username or NTDOM\username. 
> > test : radtest -t mschap 'NTDOM\username' 'password' 
> localhost 0 testing123
> > test : radtest -t mschap 'username' 'password' localhost 0 
> testing123
> > 
> > If running freeradius on AD-Member
> > where : winbind use default domain = yes is working. 
> > See output of wbinfo -u  (* username )
> > 
> > You can login with : username or username at REALM 
> > test : radtest -t mschap 'username' 'password' localhost 0 
> testing123
> > test : radtest -t mschap 'username at REALM' 'password' 
> localhost 0 testing123
> 
>   Why do some things work and others don't?  Maybe the wrong 
> things are getting passed from FreeRADIUS to ntlm_auth.  But 
> maybe not.  Again, the command-lines are printed out so that 
> you can use them to test without running a full RADIUS stack.
> 
>  But winbind doesn't work, that's a Samba / AD thing.  There 
> are magical things there which I don't understand.  
Your not alone here.. Im not a coder.. 

> It's been 15 years since I was tangentially involved in Samba4 development.
So why not join again, its still a great bunch of people there.

> 
> > What is the best way to handle all 3 types? 
> > Im really new with freeradius, im trying to understand the 
> configs, but thats not done in a sec. 
> 
>   Generally speaking, punt on the problem.  Hand those 
> strings to something else, and let it do the work.

Nah,, that is not my thing, i want to learn... 
I can give someone fish.. Then next time they come back again. 
If i learn people to fish, your done, they get there own fish. 

> 
>   Or, use a database that returns the "known good" password 
> to FreeRADIUS, and let FreeRADIUS do the work.  While 
> FreeRADIUS is complex, it isn't *stupid*.  You can make it do 
> pretty much anything you want.  And the debug output shows 
> you exactly what it's doing, and why.

I'll focus more on the debug outputs.. 
But you must understand that if one is setting this up, 
they most probley dont know/understand anything of what they are seeing.. 

> 
>   Contrast that to "helpful" commercial tools.  Often the 
> best error they produce is "failed".  <sigh>  It's like they 
> have a pathological hatred for their customers, and a 
> deep-seated terror of giving the customer any useful information.

Hehe. :-) yeah, totaly agree and I often give to much info.. 

> 
> > 2) Do note on the REALM. 
> > I notice, and maybe you can verify this. 
> > 
> > If realm is set as : 
> > [libdefaults]
> >        default_realm = internal.domain.tld 
> > 
> > Trying to login with : username at INTERNAL.DOMAIN.TLD does not work. 
> > You must match CAPS/non-caps in REALM, dorrect? 
> 
>   That's really a Samba thing, and I have absolutely no clue about it.

Ah.. Well, i retested this again, and you can ignore it. 
It works with and without caps, most probley a left over from previous testing. 

> 
>   I would *hope* that it's not case sensitive.
> 
> > Or can we handle this in the config? 
> 
>   Maybe.  It's possible in FreeRADIUS to lowercase the 
> domain, and pass that to ntlm_auth.  The issue is that the 
> MS-CHAP calculations are done using the name *as entered by the user*.
> 
>   So if Samba doesn't get passed that *exact string*, then 
> it's impossible to do the same MS-CHAP calculations, and it's 
> impossible to authenticate the user.

Ok clear, i've learned somethings again today ( and yesterday ) .. 

A "resume" of the current working config, i'll post it here 
so it gets indexed by google and more easy to find for others. 

Setting up FreeRadius on Debian Buster agains Samba 4 AD-DC
# Verified for debian stretch also. Samba versions 4.5.x upto 4.10.x 
# Should work on Ubuntu/devuan also. 

#  minimal install
apt-get install freeradius winbind krb5-user

# stop the services and go configure these. 
systemctl stop freeradius winbind 

I now have made the minimal changes, which are. : 
1) follow the steps on : http://deployingradius.com/ 
2) follow the steps on : http://deployingradius.com/documents/configuration/active_directory.html 
My changes to the this example. 

# A minimal smb.conf. 
# The CAPS here are as they should by RFC.

netbios name = HOSTNAME
workgroup = MYDOMAIN
security = ADS
realm = REALM.DOMAIN.TLD
# + and for all involving members and (samba4) AD-DC servers add in smb.conf (globl): 
ntlm auth = mschapv2-and-ntlmv2-only

# + !!!!!  setup the other settings for a samba member  !!!!! 
# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

# added freerad user to the winbindd_priv group. 
usermod -a -G winbindd_priv freerad

>From : http://deployingradius.com/documents/configuration/active_directory.html  
I skipped the settings but used the showed tests. : goto: Configuring FreeRADIUS to use ntlm_auth 
My changes, edit the following : 

cd /etc 

editor freeradius/3.0/mods-available/ntlm_auth # content is : 
exec ntlm_auth {
        wait = yes
        program = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --password=%{User-Password}"
}

editor freeradius/3.0/mods-available/mschap
I enabled these. goto : 

        # An alternative to using ntlm_auth is to connect to the
        # winbind daemon directly for authentication.
	  # Enable 
        winbind_username = "%{mschap:User-Name}"
        winbind_domain = "%{mschap:NT-Domain}"

Later on : 
     passchange {
                # This support MS-CHAPv2 (not v1) password change
                # requests.  See doc/mschap.rst for more IMPORTANT
                # information.
                ntlm_auth = "usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1 --allow-mschapv2"
                ntlm_auth_username = "username: %{mschap:User-Name}"
                ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"

editor  freeradius/3.0/sites-available/default 
GoTo : 
authenticate {

	  # added on top. 
        ntlm_auth

editor freeradius/3.0/sites-available/inner-tunnel
GoTo : 
authenticate {

	  # added on top. 
        ntlm_auth

systemctl start winbind freeradius 

> 
> > But thank you for your responces so far. 
> 
>   You're welcome.  It's what I do.
> 
>   Alan DeKok.

And as spoken as Alan, my above example "it just works", its amazing :-) 
Thanks Alan, and the other people for all the help and support. 

And have a great weekend. 

Greetz, 
Louis