Computer/Machine Authentication almost working..
Tim ODriscoll
tim.odriscoll at lambrookschool.co.uk
Tue Apr 4 08:16:06 UTC 2023
> My only remaining guess here is that Samba / AD isn't permitting ntlm / mschap authentication.
I've narrowed down the authenticating DC, turned up logging and found this:
ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user tim.odriscoll
ntlm_password_check: NEITHER LanMan nor NT password supplied for user tim.odriscoll
I've got this on all my DC's /etc/samba/smb.conf files:
ntlm auth = mschapv2-and-ntlmv2-only
So, am I correct in thinking that the ntlm_auth client is not using ntlmv2?
My ntlm_auth debug in FR is (using --allow-mschapv2):
(21) authenticate {
(21) mschap: Client is using MS-CHAPv1 with NT-Password
(21) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=lambrook --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(21) mschap: EXPAND --username=%{%{mschap:User-Name}:-00}
(21) mschap: --> --username=tim.odriscoll
(21) mschap: mschap1: 39
(21) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(21) mschap: --> --challenge=3985fc5b9031d694
(21) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(21) mschap: --> --nt-response=32f3fe95ffa414578c60e77fca9f28af183055a5f46f262d
Perhaps '--allow-mschapv2' doesn't actually mean 'use-mschapv2', only allow it if the client sends it to FR?
Thank you,
Tim
More information about the Freeradius-Users
mailing list