Dear Maintainer, I wanted to report this issue where winbindd/samba ignores an include config file. A configuration with an include statement of a file at the end of smb.conf is configured: /etc/samba/smb.conf ############################ ... include = /etc/samba/smb.conf.admin ############################ /etc/samba/smb.conf.admin ############################ [global] ntlm auth = mschapv2-and-ntlmv2-only ############################ testparm shows the configuration option "ntlm auth": # testparm -s ############################ ... [global] dns forwarder = 10.0.0.254 ldap server require strong auth = No ntlm auth = mschapv2-and-ntlmv2-only passdb backend = samba_dsdb printcap name = cups realm = FZI.LAN ... ############################ I configured WPA2 Enterprise Radius with freeradius and want to authenticate against AD/Samba users. This test shows, that the authentication is not successful(Access-Reject) with the above smb.conf settings: ############################ root@server:~# radtest -t mschap leh1 Tester1 10.0.0.1 0 xxxxx Sent Access-Request Id 121 from 0.0.0.0:53425 to 10.0.0.1:1812 length 130 User-Name = "leh1" MS-CHAP-Password = "Tester1" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "Tester1" MS-CHAP-Challenge = 0xbfcd8fe31d3e0f28 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000028dfaf3beb16b16cb696a051487c2942a6bde16cdfdcaee1 Received Access-Reject Id 121 from 10.0.0.1:1812 to 0.0.0.0:0 length 61 MS-CHAP-Error = "\000E=691 R=1 C=5ed191c90e7fe13a V=2" (0) -: Expected Access-Accept got Access-Reject ############################ /var/log/samba/log.wb-FZI ############################ [2020/07/31 06:55:09.910525, 3] ../source3/winbindd/winbindd_samr.c:465(sam_name_to_sid) sam_name_to_sid [2020/07/31 06:55:09.912861, 3] ../source3/winbindd/winbindd_rpc.c:272(rpc_name_to_sid) name_to_sid: FZI\WIFI for domain FZI [2020/07/31 06:55:09.913734, 3] ../source3/winbindd/winbindd_pam.c:2138(winbindd_dual_pam_auth_crap) [13003]: pam auth crap domain: FZI user: leh1 [2020/07/31 06:55:09.913766, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [FZI]\[leh1]@[SERVER] with the new password interface [2020/07/31 06:55:09.913777, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [FZI]\[leh1]@[SERVER] [2020/07/31 06:55:09.914953, 3] ../source4/auth/ntlm/auth.c:240(auth_check_password_send) auth_check_password_send: Checking password for unmapped user [FZI]\[leh1]@[SERVER] auth_check_password_send: user is: [FZI]\[leh1]@[SERVER] [2020/07/31 06:55:09.915287, 2] ../libcli/auth/ntlm_check.c:430(ntlm_password_check) ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user leh1 [2020/07/31 06:55:09.915301, 3] ../libcli/auth/ntlm_check.c:437(ntlm_password_check) ntlm_password_check: NEITHER LanMan nor NT password supplied for user leh1 [2020/07/31 06:55:09.915435, 2] ../libcli/auth/ntlm_check.c:430(ntlm_password_check) ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user leh1 [2020/07/31 06:55:09.915447, 3] ../libcli/auth/ntlm_check.c:437(ntlm_password_check) ntlm_password_check: NEITHER LanMan nor NT password supplied for user leh1 [2020/07/31 06:55:09.915820, 2] ../source4/auth/ntlm/auth.c:475(auth_check_password_recv) auth_check_password_recv: sam authentication for user [FZI\leh1] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 [2020/07/31 06:55:09.915843, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [winbind,(null)] user [FZI]\[leh1] at [Fr, 31 Jul 2020 06:55:09.915836 CEST] with [MSCHAPv2] status [NT_STATUS_WRONG_PASSWORD] workstation [SERVER] remote host [ipv4:127.0.0.1:0] mapped to [FZI]\[leh1]. local host [ipv4:127.0.0.1:0] [2020/07/31 06:55:09.915880, 2] ../auth/auth_log.c:220(log_json) JSON Authentication: {"timestamp": "2020-07-31T06:55:09.915855+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0", "serviceDescription": "winbind", "authDescription": null, "clientDomain": "FZI", "clientAccount": "leh1", "workstation": "SERVER", "becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)", "mappedAccount": "leh1", "mappedDomain": "FZI", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "MSCHAPv2"}} [2020/07/31 06:55:09.915905, 3] ../auth/auth_log.c:139(get_auth_event_server) get_auth_event_server: Failed to find 'auth_event' registered on the message bus to send JSON authentication events to: NT_STATUS_OBJECT_NAME_NOT_FOUND [2020/07/31 06:55:09.915941, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [leh1] -> [leh1] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 [2020/07/31 06:55:09.915958, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [winbind,(null)] user [FZI]\[leh1] at [Fr, 31 Jul 2020 06:55:09.915953 CEST] with [MSCHAPv2] status [NT_STATUS_WRONG_PASSWORD] workstation [SERVER] remote host [ipv4:127.0.0.1:0] mapped to [FZI]\[leh1]. local host [ipv4:127.0.0.1:0] [2020/07/31 06:55:09.915984, 2] ../auth/auth_log.c:220(log_json) JSON Authentication: {"timestamp": "2020-07-31T06:55:09.915968+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0", "serviceDescription": "winbind", "authDescription": null, "clientDomain": "FZI", "clientAccount": "leh1", "workstation": "SERVER", "becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)", "mappedAccount": "leh1", "mappedDomain": "FZI", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "MSCHAPv2"}} [2020/07/31 06:55:09.916013, 2] ../source3/winbindd/winbindd_pam.c:2108(winbind_dual_SamLogon) NTLM CRAP authentication for user [FZI]\[leh1] returned NT_STATUS_WRONG_PASSWORD ############################ The same test but with the config option in smb.conf rather then an additional include file. /etc/samba/smb.conf ############################ [global] ... ntlm auth = mschapv2-and-ntlmv2-only ... include = /etc/samba/smb.conf.admin ############################ /etc/samba/smb.conf.admin ############################ ############################ The authentication is now successful(Access-Accept): ############################ root@server:~# radtest -t mschap leh1 Tester1 10.0.0.1 0 xxxxx Sent Access-Request Id 23 from 0.0.0.0:47270 to 10.0.0.1:1812 length 130 User-Name = "leh1" MS-CHAP-Password = "Tester1" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "Tester1" MS-CHAP-Challenge = 0xe18cdecac1c899c6 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000cf7cf11a9f554a3cb1227870b69758a6968c9354d11f7f4c Received Access-Accept Id 23 from 10.0.0.1:1812 to 0.0.0.0:0 length 84 MS-CHAP-MPPE-Keys = 0x0000000000000000f3a633cc3cbc71f2f3cda7203637260c MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed ############################ /var/log/samba/log.wb-FZI ############################ [2020/07/31 06:57:31.863047, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [FZI]\[leh1]@[SERVER] with the new password interface [2020/07/31 06:57:31.863061, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [FZI]\[leh1]@[SERVER] [2020/07/31 06:57:31.863174, 3] ../source4/auth/ntlm/auth.c:840(auth_register) AUTH backend 'sam' registered [2020/07/31 06:57:31.863186, 3] ../source4/auth/ntlm/auth.c:840(auth_register) AUTH backend 'sam_ignoredomain' registered [2020/07/31 06:57:31.863195, 3] ../source4/auth/ntlm/auth.c:840(auth_register) AUTH backend 'sam_failtrusts' registered [2020/07/31 06:57:31.863204, 3] ../source4/auth/ntlm/auth.c:840(auth_register) AUTH backend 'anonymous' registered [2020/07/31 06:57:31.863213, 3] ../source4/auth/ntlm/auth.c:840(auth_register) AUTH backend 'winbind' registered [2020/07/31 06:57:31.863226, 3] ../source4/auth/ntlm/auth.c:840(auth_register) AUTH backend 'winbind_rodc' registered [2020/07/31 06:57:31.863234, 3] ../source4/auth/ntlm/auth.c:840(auth_register) AUTH backend 'winbind_wbclient' registered [2020/07/31 06:57:31.863241, 3] ../source4/auth/ntlm/auth.c:840(auth_register) AUTH backend 'name_to_ntstatus' registered [2020/07/31 06:57:31.863249, 3] ../source4/auth/ntlm/auth.c:840(auth_register) AUTH backend 'unix' registered [2020/07/31 06:57:31.865486, 3] ../source4/auth/ntlm/auth.c:240(auth_check_password_send) auth_check_password_send: Checking password for unmapped user [FZI]\[leh1]@[SERVER] auth_check_password_send: user is: [FZI]\[leh1]@[SERVER] [2020/07/31 06:57:31.869861, 3] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [winbind,(null)] user [FZI]\[leh1] at [Fr, 31 Jul 2020 06:57:31.869843 CEST] with [MSCHAPv2] status [NT_STATUS_OK] workstation [SERVER] remote host [ipv4:127.0.0.1:0] became [FZI]\[leh1] [S-1-5-21-35671526-1933746553-2632869877-1557]. local host [ipv4:127.0.0.1:0] [2020/07/31 06:57:31.869939, 3] ../auth/auth_log.c:220(log_json) JSON Authentication: {"timestamp": "2020-07-31T06:57:31.869898+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0", "serviceDescription": "winbind", "authDescription": null, "clientDomain": "FZI", "clientAccount": "leh1", "workstation": "SERVER", "becameAccount": "leh1", "becameDomain": "FZI", "becameSid": "S-1-5-21-35671526-1933746553-2632869877-1557", "mappedAccount": "leh1", "mappedDomain": "FZI", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "MSCHAPv2"}} [2020/07/31 06:57:31.869979, 3] ../auth/auth_log.c:139(get_auth_event_server) get_auth_event_server: Failed to find 'auth_event' registered on the message bus to send JSON authentication events to: NT_STATUS_OBJECT_NAME_NOT_FOUND [2020/07/31 06:57:31.870036, 3] ../source3/auth/auth.c:256(auth_check_ntlm_password) auth_check_ntlm_password: samba4 authentication for user [leh1] succeeded [2020/07/31 06:57:31.870053, 3] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [winbind,(null)] user [FZI]\[leh1] at [Fr, 31 Jul 2020 06:57:31.870048 CEST] with [MSCHAPv2] status [NT_STATUS_OK] workstation [SERVER] remote host [ipv4:127.0.0.1:0] became [FZI]\[leh1] [S-1-5-21-35671526-1933746553-2632869877-1557]. local host [ipv4:127.0.0.1:0] [2020/07/31 06:57:31.870084, 3] ../auth/auth_log.c:220(log_json) JSON Authentication: {"timestamp": "2020-07-31T06:57:31.870067+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0", "serviceDescription": "winbind", "authDescription": null, "clientDomain": "FZI", "clientAccount": "leh1", "workstation": "SERVER", "becameAccount": "leh1", "becameDomain": "FZI", "becameSid": "S-1-5-21-35671526-1933746553-2632869877-1557", "mappedAccount": "leh1", "mappedDomain": "FZI", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "MSCHAPv2"}} [2020/07/31 06:57:31.870110, 2] ../source3/auth/auth.c:314(auth_check_ntlm_password) check_ntlm_password: authentication for user [leh1] -> [leh1] -> [(null)] succeeded ############################ This is possible a bug. # smbd -V Version 4.7.6-Ubuntu # uname -a Linux server.fzi.lan 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux Kind regards Klaus
Hai Klaus, i see: ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user leh1 beside your using old/unmaintained version is : ntlm auth = mschapv2-and-ntlmv2-only Set on the AD-DC and the member server? And did you adjust the needed freeradius settings. Can you verify it all based on these sites: http://deployingradius.com/documents/configuration/active_directory.html https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
Hello Louis, Am 10.08.20 um 16:08 schrieb samba-bugs@samba.org: > i see: ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user leh1 Yes, because mschapv2-and-ntlmv2-only is ignored in /etc/samba/smb.conf.admin the authentication is not successful. > beside your using old/unmaintained version is : > ntlm auth = mschapv2-and-ntlmv2-only > > Set on the AD-DC and the member server? There is no member server in this setup. Freeradius is running on the same server the Domaincontroller is. > And did you adjust the needed freeradius settings. > > Can you verify it all based on these sites: > http://deployingradius.com/documents/configuration/active_directory.html > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory Of course. And the setup is working, when "ntlm auth = mschapv2-and-ntlmv2-only" is written in /etc/smb.conf rather then an include file. That is the only issue. Kind regards Klaus
Hai, yes, sorry i needed to ask that. well, in this case you can only do 2 things. i know this works in 4.12.5 at least, because that where im having includes. your current samba is unmaintained by samba, so you need to make a bug report at you OS supplier. Or upgrade the servers/samba to an supported samba version. (sorry to bring the bad news).
Hello, it is not that include files generally do not work. It is rather the case that this statement in particular, which is winbindd specific, is not evaluated. I have not found any other bug report on this topic. So I assume that this one exists in the currently supported version and is not specific to Ubuntu. Did you really test this option in the current version as I described it? Kind regards Klaus