challenge/response problem in 4.5.5

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

challenge/response problem in 4.5.5

Samba - General mailing list
freely quoting from something I posted on #samba a couple of hours ago

###########
it appears that challenge/response is actually broken in 4.5.5 Have upgraded 4 dc's and now winbind/freeradius does not work.
focused on the radius box thinking that was the problem -- till I finally ran

wbinfo -a user%password

on all the dc's and they all behaved the same. -> plaintext succeeded challenge/response failed.
 Configured up yet another dc running 4.2 and on that one challenge/response works

is there any way to temporarily force the freeradius unit to talk only to the 4.2 dc?   --  It looks like you can force -S servername on net ads join. Will that stay, though?
##########

I managed to get my freeradius up and running using net join -S. Now winbind sends its queries to the server based on the current debian 4.2 package. I'm on pins and needles though thinking that it might switch. (I also have "password server" set in smb.conf which I know I'm not supposed to do). So much is riding on that radius server being functional

Issues.
1) I would have posted this on bugzilla, but it doesn't present me with an account creation form when I click on new account. but I'm ready to give results from any requested tests
2) It's entirely possible that I am framing this wrongly. that there is some other issue that is causing challenge/response to fail. I'm not seeing any reference to it in samba release change logs in the releases since.
3) It looks like someone else posted a similar problem about a 4.6.0 git compile in September but didn't answer when Roland asked for further info. I'll do my best to send as much info as necessary
4) I'm a little gun-shy now of the 'stable' designation on the samba wiki site. It's been a stressful couple of days.
5) There must be other functionality suffering from not being able to do challenge/response
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: challenge/response problem in 4.5.5

Samba - General mailing list
configuration info
all of my domain controllers have been debian based samba tarball compiles. The tarballs have, when I've had a space to upgrade them, been the latest stable version. Only my temporary DC is a stock debian samba package.

    On Saturday, 11 March 2017, 23:00, ray klassen <[hidden email]> wrote:
 

 freely quoting from something I posted on #samba a couple of hours ago

###########
it appears that challenge/response is actually broken in 4.5.5 Have upgraded 4 dc's and now winbind/freeradius does not work.
focused on the radius box thinking that was the problem -- till I finally ran

wbinfo -a user%password

on all the dc's and they all behaved the same. -> plaintext succeeded challenge/response failed.
 Configured up yet another dc running 4.2 and on that one challenge/response works

is there any way to temporarily force the freeradius unit to talk only to the 4.2 dc?   --  It looks like you can force -S servername on net ads join. Will that stay, though?
##########

I managed to get my freeradius up and running using net join -S. Now winbind sends its queries to the server based on the current debian 4.2 package. I'm on pins and needles though thinking that it might switch. (I also have "password server" set in smb.conf which I know I'm not supposed to do). So much is riding on that radius server being functional

Issues.
1) I would have posted this on bugzilla, but it doesn't present me with an account creation form when I click on new account. but I'm ready to give results from any requested tests
2) It's entirely possible that I am framing this wrongly. that there is some other issue that is causing challenge/response to fail. I'm not seeing any reference to it in samba release change logs in the releases since.
3) It looks like someone else posted a similar problem about a 4.6.0 git compile in September but didn't answer when Roland asked for further info. I'll do my best to send as much info as necessary
4) I'm a little gun-shy now of the 'stable' designation on the samba wiki site. It's been a stressful couple of days.
5) There must be other functionality suffering from not being able to do challenge/response


   
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: challenge/response problem in 4.5.5

Samba - General mailing list
On Sun, 2017-03-12 at 07:04 +0000, ray klassen via samba wrote:
> is there any way to temporarily force the freeradius unit to talk
> only to the 4.2 dc?   --  It looks like you can force -S servername
> on net ads join. Will that stay, though?

If your issue is FreeRADIUS, then presumably you are using MSCHAPv2,
and it is the first item in the WHATSNEW:

https://www.samba.org/samba/history/samba-4.5.0.html

Setting 'ntlm auth = yes' should help.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: challenge/response problem in 4.5.5

Samba - General mailing list
Well yes it did then. Thank you!
but then it is interesting that "wbinfo -a" would also report a simple failure.
To me "plaintext" authorization looks(!) basic and "challenge/response" looks(!) more advanced.
The impression is that there is something missing that should(!)  be working.

 

    On Sunday, 12 March 2017, 0:14, Andrew Bartlett via samba <[hidden email]> wrote:
 

 On Sun, 2017-03-12 at 07:04 +0000, ray klassen via samba wrote:
> is there any way to temporarily force the freeradius unit to talk
> only to the 4.2 dc?   --  It looks like you can force -S servername
> on net ads join. Will that stay, though?

If your issue is FreeRADIUS, then presumably you are using MSCHAPv2,
and it is the first item in the WHATSNEW:

https://www.samba.org/samba/history/samba-4.5.0.html

Setting 'ntlm auth = yes' should help.

Andrew Bartlett

--
Andrew Bartlett                      http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


   
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba