Users randomly rejected when no connection with remote domain controllers
Rodrigo Abrantes Antunes
rodrigoantunes at pelotas.ifsul.edu.br
Fri Sep 6 14:03:41 UTC 2024
Citando Alan DeKok <aland at deployingradius.com>:
> Whatever is gong on, the results are clear: this isn't FreeRADIUS.
> FreeRADIUS uses ntlm_auth to talk to Samba, and Samba talks with
> Active Directory. When something goes wrong, the problem is in
> ntlm_auth / Samba / Active Directory.
> Then the issue is either Samba or AD.
So maybe there is a misconfiguration in ntlm_auth or Samba? Could
someone help me check the configuration? Or maybe check trust
relationships, etc...
My freeradius server needs to be a domain member do authenticate
against AD, the user I used to add it to the domain would influence in
this? What about the user I use in the ldap module?
Heres is my config, 10.1.0.3 (adm.ifsul.edu.br) is my domain
controller and dns server, I don't use krb5.conf (should I?).
#### mods-enable/ntlm_auth (everything else is commented)
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=ADM
--username=%{mschap:User-Name} --password=%{User-Password}"
}
#### mods-enable/mschap (everything else is commented)
mschap {
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--allow-mschapv2 --username=%{mschap:User-Name:-None}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
}
#### resol.conf
nameserver 10.1.0.3
#### samba
# Global parameters
[global]
abort shutdown script =
add group script =
additional dns hostnames =
add machine script =
addport command =
addprinter command =
add share command =
add user script =
add user to group script =
afs token lifetime = 604800
afs username map =
aio max threads = 100
algorithmic rid base = 1000
allow dcerpc auth level connect = No
allow dns updates = secure only
allow insecure wide links = No
allow nt4 crypto = No
allow trusted domains = Yes
allow unsafe cluster upgrade = No
apply group policies = No
async dns timeout = 10
async smb echo handler = No
auth event notification = No
auto services =
binddns dir = /var/lib/samba/bind-dns
bind interfaces only = No
browse list = Yes
cache directory = /var/cache/samba
change notify = Yes
change share command =
check password script =
cldap port = 389
client ipc max protocol = default
client ipc min protocol = default
client ipc signing = default
client lanman auth = No
client ldap sasl wrapping = seal
client max protocol = default
client min protocol = SMB2_02
client NTLMv2 auth = Yes
client plaintext auth = No
client protection = default
client schannel = Yes
client signing = default
client smb encrypt = default
client smb3 encryption algorithms = AES-128-GCM, AES-128-CCM,
AES-256-GCM, AES-256-CCM
client smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC,
HMAC-SHA256
client use kerberos = desired
client use spnego principal = No
client use spnego = Yes
cluster addresses =
clustering = No
config backend = file
config file =
create krb5 conf = Yes
ctdbd socket =
ctdb locktime warn threshold = 0
ctdb timeout = 0
cups connection timeout = 30
cups encrypt = No
cups server =
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver
deadtime = 10080
debug class = No
debug encryption = No
debug hires timestamp = Yes
debug pid = No
debug prefix timestamp = No
debug syslog format = No
winbind debug traceid = No
debug uid = No
dedicated keytab file =
default service =
defer sharing violations = Yes
delete group script =
deleteprinter command =
delete share command =
delete user from group script =
delete user script =
dgram port = 138
disable netbios = No
disable spoolss = No
dns forwarder =
dns port = 53
dns proxy = Yes
dns update command = /usr/sbin/samba_dnsupdate
dns zone scavenging = No
dns zone transfer clients allow =
dns zone transfer clients deny =
domain logons = No
domain master = Auto
dos charset = CP850
dsdb event notification = No
dsdb group change notification = No
dsdb password event notification = No
enable asu support = No
enable core files = Yes
enable privileges = Yes
encrypt passwords = Yes
enhanced browsing = Yes
enumports command =
eventlog list =
get quota command =
getwd cache = Yes
gpo update command = /usr/sbin/samba-gpupdate
guest account = nobody
host msdfs = Yes
hostname lookups = No
idmap backend = tdb
idmap cache time = 604800
idmap gid =
idmap negative cache time = 120
idmap uid =
include system krb5 conf = Yes
init logon delay = 100
init logon delayed hosts =
interfaces =
iprint server =
kdc default domain supported enctypes = 0
kdc enable fast = Yes
kdc force enable rc4 weak session keys = No
kdc supported enctypes = 0
keepalive = 300
kerberos encryption types = all
kerberos method = default
kernel change notify = Yes
kpasswd port = 464
krb5 port = 88
lanman auth = No
large readwrite = Yes
ldap admin dn =
ldap connection timeout = 2
ldap debug level = 0
ldap debug threshold = 10
ldap delete dn = No
ldap deref = auto
ldap follow referral = Auto
ldap group suffix =
ldap idmap suffix =
ldap machine suffix =
ldap max anonymous request size = 256000
ldap max authenticated request size = 16777216
ldap max search request size = 256000
ldap page size = 1000
ldap passwd sync = no
ldap replication sleep = 1000
ldap server require strong auth = Yes
ldap ssl = start tls
ldap suffix =
ldap timeout = 15
ldap user suffix =
lm announce = Auto
lm interval = 60
load printers = Yes
local master = Yes
lock directory = /run/samba
lock spin time = 200
log file = /var/log/samba/log.%m
logging = file
log level = 1
log nt token command =
logon drive =
logon home = \\%N\%U
logon path = \\%N\%U\profile
logon script =
log writeable files on exit = No
lpq cache time = 30
lsa over netlogon = No
machine password timeout = 604800
mangle prefix = 1
mangling method = hash2
map to guest = Bad User
max disk size = 0
max log size = 1000
max mux = 50
max open files = 16384
max smbd processes = 0
max stat cache size = 512
max ttl = 259200
max wins ttl = 518400
max xmit = 16644
mdns name = netbios
message command =
min domain uid = 1000
min receivefile size = 0
min wins ttl = 21600
mit kdc command =
multicast dns register = Yes
name cache timeout = 660
name resolve order = lmhosts wins host bcast
nbt client socket address = 0.0.0.0
nbt port = 137
ncalrpc dir = /run/samba/ncalrpc
netbios aliases =
netbios name = IFS01SV004
netbios scope =
neutralize nt4 emulation = No
nmbd bind explicit broadcast = Yes
nsupdate command = /usr/bin/nsupdate -g
nt hash store = always
ntlm auth = ntlmv2-only
nt pipe support = Yes
ntp signd socket directory = /var/lib/samba/ntp_signd
nt status support = Yes
null passwords = No
obey pam restrictions = Yes
old password allowed period = 60
oplock break wait time = 0
os2 driver map =
os level = 20
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passdb backend = tdbsam
passdb expand explicit = No
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd chat debug = No
passwd chat timeout = 2
passwd program = /usr/bin/passwd %u
password hash gpg key ids =
password hash userPassword schemes =
password server = *
perfcount module =
pid directory = /run/samba
preferred master = Auto
prefork backoff increment = 10
prefork children = 4
prefork maximum backoff = 120
preload modules =
printcap cache time = 750
printcap name =
private dir = /var/lib/samba/private
raw NTLMv2 auth = No
read raw = Yes
realm = ADM.IFSUL.EDU.BR
registry shares = No
reject md5 clients = Yes
reject md5 servers = Yes
remote announce =
remote browse sync =
rename user script =
require strong key = Yes
reset on zero vc = No
restrict anonymous = 0
root directory =
rpc big endian = No
rpc server dynamic port range = 49152-65535
rpc server port = 0
rpc start on demand helpers = Yes
samba kcc command = /usr/sbin/samba_kcc
security = ADS
server max protocol = SMB3
server min protocol = SMB2_02
server multi channel support = Yes
server role = standalone server
server schannel = Yes
server schannel require seal = Yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate, dns
server signing = default
server smb3 encryption algorithms = AES-128-GCM, AES-128-CCM,
AES-256-GCM, AES-256-CCM
server smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC,
HMAC-SHA256
server string = Samba 4.17.9-Debian
set primary group script =
set quota command =
show add printer wizard = Yes
shutdown script =
smb1 unix extensions = Yes
smb2 disable lock sequence checking = No
smb2 disable oplock break retry = No
smb2 leases = Yes
smb2 max credits = 8192
smb2 max read = 8388608
smb2 max trans = 8388608
smb2 max write = 8388608
smbd profiling level = off
smb passwd file = /etc/samba/smbpasswd
smb ports = 445 139
socket options = TCP_NODELAY
spn update command = /usr/sbin/samba_spnupdate
stat cache = Yes
state directory = /var/lib/samba
svcctl list =
syslog = 1
syslog only = No
template homedir = /home/%D/%U
template shell = /bin/false
time server = No
timestamp logs = Yes
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls crlfile =
tls dh params file =
tls enabled = Yes
tls keyfile = tls/key.pem
tls priority = NORMAL:-VERS-SSL3.0
tls verify peer = as_strict_as_possible
unicode = Yes
unix charset = UTF-8
unix password sync = Yes
use mmap = Yes
username level = 0
username map =
username map cache time = 0
username map script =
usershare allow guests = Yes
usershare max shares = 100
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
usershare prefix allow list =
usershare prefix deny list =
usershare template share =
utmp = No
utmp directory =
winbind cache time = 300
winbindd socket directory = /run/samba/winbindd
winbind enum groups = No
winbind enum users = No
winbind expand groups = 0
winbind max clients = 200
winbind max domain connections = 1
winbind nested groups = Yes
winbind normalize names = No
winbind nss info = template
winbind offline logon = No
winbind reconnect delay = 30
winbind refresh tickets = No
winbind request timeout = 60
winbind rpc only = No
winbind scan trusted domains = No
winbind sealed pipes = Yes
winbind separator = \
winbind use default domain = No
winbind use krb5 enterprise principals = Yes
wins hook =
wins proxy = No
wins server =
wins support = No
workgroup = ADM
write raw = Yes
wtmp directory =
idmap config * : backend = tdb
access based share enum = No
acl allow execute always = No
acl check permissions = Yes
acl flag inherited canonicalization = Yes
acl group control = No
acl map full control = Yes
administrative share = No
admin users =
afs share = No
aio read size = 1
aio write behind =
aio write size = 1
allocation roundup size = 0
available = Yes
blocking locks = Yes
block size = 1024
browseable = Yes
case sensitive = Auto
check parent directory delete on close = No
comment =
copy =
create mask = 0744
csc policy = manual
cups options =
default case = lower
default devmode = Yes
delete readonly = No
delete veto files = No
dfree cache time = 0
dfree command =
directory mask = 0755
directory name cache size = 100
dmapi support = No
dont descend =
dos filemode = No
dos filetime resolution = No
dos filetimes = Yes
durable handles = Yes
ea support = Yes
fake directory create times = No
fake oplocks = No
follow symlinks = Yes
smbd force process locks = No
force create mode = 0000
force directory mode = 0000
force group =
force printername = No
force unknown acl user = No
force user =
fstype = NTFS
guest ok = No
guest only = No
hide dot files = Yes
hide files =
hide new files timeout = 0
hide special files = No
hide unreadable = No
hide unwriteable files = No
honor change notify privilege = No
hosts allow =
hosts deny =
include =
inherit acls = No
inherit owner = no
inherit permissions = No
invalid users =
kernel oplocks = No
kernel share modes = No
level2 oplocks = Yes
locking = Yes
lppause command =
lpq command = %p
lpresume command =
lprm command =
magic output =
magic script =
mangled names = illegal
mangling char = ~
map acl inherit = No
map archive = Yes
map hidden = No
map readonly = no
map system = No
max connections = 0
max print jobs = 1000
max reported print jobs = 0
min print space = 0
msdfs proxy =
msdfs root = No
msdfs shuffle referrals = No
nt acl support = Yes
ntvfs handler = unixuid, default
oplocks = Yes
path =
posix locking = Yes
postexec =
preexec =
preexec close = No
preserve case = Yes
printable = No
print command =
printer name =
printing = cups
printjob username = %U
print notify backchannel = No
queuepause command =
queueresume command =
read list =
read only = Yes
root postexec =
root preexec =
root preexec close = No
server smb encrypt = default
short preserve case = Yes
smbd async dosmode = No
smbd getinfo ask sharemode = Yes
smbd max async dosmode = 0
smbd max xattr size = 65536
smbd search ask sharemode = Yes
spotlight = No
spotlight backend = noindex
store dos attributes = Yes
strict allocate = No
strict locking = Auto
strict rename = No
strict sync = Yes
sync always = No
use client driver = No
use sendfile = No
valid users =
veto files =
veto oplock files =
vfs objects =
volume =
volume serial number = -1
wide links = No
write list =
[homes]
browseable = No
comment = Home Directories
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
browseable = No
comment = All Printers
create mask = 0700
path = /var/tmp
printable = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
More information about the Freeradius-Users
mailing list