we plan to use Samba4 (samba-4.3.7) as well as Cisco Identity Service Engine (ISE-1.4) for authentication purpuses in our WLAN environment with PEAP and MS-ChapV2. In this scenario the ISE asks the Samba4 for verifying the user credentials via MS-RPC.
Joning the ISE into Samba4 works well as well as Kerberos-authentication. Unfortunately MS-RPC-authentication (which is required for MS-ChapV2) does not work. The reason is that Cisco uses the MS-RPC protocol feature called “Security Context Multiplexing” (https://msdn.microsoft.com/en-us/library/cc243716.aspx). Altough the ISE should proof whether Samba4 can handle that feature or not the ISE assumes that all Active Directory implementations can handle those requests and uses them. Unfortunately Samba4 cannot deal with that…
Created attachment 12059 [details]
debug logs of Cisco ISE
Created attachment 12060 [details]
tcpdump of communication between Ciso ISE and Samba4
Cisco ISE: 10.142.235.93
Packet 22 is relevant
Created attachment 12061 [details]
debug level 10 log of Samba4 (log.samba)
(In reply to Stephan Hendl from comment #3)
Thanks for the captures it's pretty clear, bug #7113
contains a similar issue.
(In reply to Stefan Metzmacher from comment #4)
bug #7113 was not really related.
The bug is fixed with 4.10.0rc1
Please notice that "server schannel = auto" or "server schannel = no"
is very dangerous, see
[CVE-2020-1472] [SECURITY] Samba impact of "ZeroLogin"