Quantcast

question about ntlm

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

question about ntlm

Samba - General mailing list
Hai,

 

Since im still having problems reading the man smb.conf about the NTLM settings, im asking here.

How do i allow NTLM auth for my proxy.

 

I have been playing around with :

 

        client NTLMv2 auth

        raw NTLMv2 auth

        ntlm auth

        lanman auth

 

i’ve added the proxy user to the winbind_privileged group.

and did set the needed rights.

chgrp winbindd_priv /var/lib/samba/winbindd_privileged/

adduser proxy winbindd_priv

 

Im trying to keep as much as possible to the default settings.

Im testing the following.

 

ntlm_auth --request-nt-key --username=someTestUser

ntlm_auth --request-lm-key --username=someTestUser

ntlm_auth --username=someTestUser --ntlmv2

ntlm_auth --username=someTestUser –lanman

ntlm_auth --username=someTestUser --krb5auth=someTestUser

ntlm_auth --diagnostics --username=someTestUser

wbinfo -a someTestUser

wbinfo --krb5auth=someTestUser

wbinfo --krb5auth='NTDOM\someTestUser'

wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD’

 

 

Situation .

Samba AD DC. 4.5.3

Config : ( left out the shares, the question is about auth )

[global]

        workgroup = NTDOM

        realm = INTERNAL.DOMAIN.TLD

        netbios name = DC1

        server role = active directory domain controller

        server services = -dns

        interfaces = 192.168.0.1 127.0.0.1

        bind interfaces only = yes

        time server = yes

        idmap_ldb:use rfc2307 = yes

        winbind nss info = rfc2307

        winbind expand groups = 4

        template shell = /bin/bash

        template homedir = /home/users/%U

        tls enabled = yes

 

My client setup.

Samba member 4.5.5  ( and testing 4.5.3 also )

[global]

    workgroup = NTDOM

    security = ads

    realm = INTERNAL.DOMAIN.TLD

    netbios name = PROXY2

    preferred master = no

    domain master = no

    host msdfs = no

    interfaces = 192.168.0.2 127.0.0.1

    bind interfaces only = yes

    dns proxy = yes

    tls enabled = yes

    idmap config *:backend = tdb

    idmap config *:range = 2000-9999

    idmap config NTDOM : backend = ad

    idmap config NTDOM : schema_mode = rfc2307

    idmap config NTDOM : range = 10000-3999999

    dedicated keytab file = /etc/krb5.keytab

    kerberos method = secrets and keytab

    winbind refresh tickets = yes

    winbind nss info = rfc2307

    winbind trusted domains only = no

    winbind offline logon = yes

    winbind expand groups = 4

 

 

Now im asking, where do we set what to make this work.

 

When i set in my proxy smb.conf

    lanman auth = yes

    raw NTLMv2 auth = yes

    ntlm auth = yes

im getting the same results as with above but =no

 

and im testing:

 

wbinfo -a "NTDOM\someTestUser"

Enter NTDOM\someTestUser's password:

plaintext password authentication succeeded

Enter NTDOM\someTestUser's password:

challenge/response password authentication failed

wbcAuthenticateUserEx(NTDOM\someTestUser): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)

error message was: Wrong Password

Could not authenticate user NTDOM\someTestUser with challenge/response

And same result for : wbinfo -a  [hidden email]

 

If a default setting is like :  client plaintext auth = no

why do i get : plaintext password authentication succeeded

 

What is missing in my setup? Or do i have to setup a less secure AD DC to make this work?

Im still having a hard time to figure out if a setting is ADDC or member only and man smb.conf isnt telling me what i need to know.

 

so i dont get it.  :-((  Help :-))

 

Any assistance here is very welkom.  ;-)

 

 

Greetz,

 

Louis

 

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: question about ntlm

Samba - General mailing list
1) the user you are running wbinfo with, has access to the winbind_privileged folder?
2) does running "wbinfo --ntlmv2 -a 'DOMAIN\sometestuser' " changes the response you have?

Em 15/02/2017 12:24, L.P.H. van Belle via samba escreveu:

> Hai,
>
>  
>
> Since im still having problems reading the man smb.conf about the NTLM settings, im asking here.
>
> How do i allow NTLM auth for my proxy.
>
>  
>
> I have been playing around with :
>
>  
>
>          client NTLMv2 auth
>
>          raw NTLMv2 auth
>
>          ntlm auth
>
>          lanman auth
>
>  
>
> i’ve added the proxy user to the winbind_privileged group.
>
> and did set the needed rights.
>
> chgrp winbindd_priv /var/lib/samba/winbindd_privileged/
>
> adduser proxy winbindd_priv
>
>  
>
> Im trying to keep as much as possible to the default settings.
>
> Im testing the following.
>
>  
>
> ntlm_auth --request-nt-key --username=someTestUser
>
> ntlm_auth --request-lm-key --username=someTestUser
>
> ntlm_auth --username=someTestUser --ntlmv2
>
> ntlm_auth --username=someTestUser –lanman
>
> ntlm_auth --username=someTestUser --krb5auth=someTestUser
>
> ntlm_auth --diagnostics --username=someTestUser
>
> wbinfo -a someTestUser
>
> wbinfo --krb5auth=someTestUser
>
> wbinfo --krb5auth='NTDOM\someTestUser'
>
> wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD’
>
>  
>
>  
>
> Situation .
>
> Samba AD DC. 4.5.3
>
> Config : ( left out the shares, the question is about auth )
>
> [global]
>
>          workgroup = NTDOM
>
>          realm = INTERNAL.DOMAIN.TLD
>
>          netbios name = DC1
>
>          server role = active directory domain controller
>
>          server services = -dns
>
>          interfaces = 192.168.0.1 127.0.0.1
>
>          bind interfaces only = yes
>
>          time server = yes
>
>          idmap_ldb:use rfc2307 = yes
>
>          winbind nss info = rfc2307
>
>          winbind expand groups = 4
>
>          template shell = /bin/bash
>
>          template homedir = /home/users/%U
>
>          tls enabled = yes
>
>  
>
> My client setup.
>
> Samba member 4.5.5  ( and testing 4.5.3 also )
>
> [global]
>
>      workgroup = NTDOM
>
>      security = ads
>
>      realm = INTERNAL.DOMAIN.TLD
>
>      netbios name = PROXY2
>
>      preferred master = no
>
>      domain master = no
>
>      host msdfs = no
>
>      interfaces = 192.168.0.2 127.0.0.1
>
>      bind interfaces only = yes
>
>      dns proxy = yes
>
>      tls enabled = yes
>
>      idmap config *:backend = tdb
>
>      idmap config *:range = 2000-9999
>
>      idmap config NTDOM : backend = ad
>
>      idmap config NTDOM : schema_mode = rfc2307
>
>      idmap config NTDOM : range = 10000-3999999
>
>      dedicated keytab file = /etc/krb5.keytab
>
>      kerberos method = secrets and keytab
>
>      winbind refresh tickets = yes
>
>      winbind nss info = rfc2307
>
>      winbind trusted domains only = no
>
>      winbind offline logon = yes
>
>      winbind expand groups = 4
>
>  
>
>  
>
> Now im asking, where do we set what to make this work.
>
>  
>
> When i set in my proxy smb.conf
>
>      lanman auth = yes
>
>      raw NTLMv2 auth = yes
>
>      ntlm auth = yes
>
> im getting the same results as with above but =no
>
>  
>
> and im testing:
>
>  
>
> wbinfo -a "NTDOM\someTestUser"
>
> Enter NTDOM\someTestUser's password:
>
> plaintext password authentication succeeded
>
> Enter NTDOM\someTestUser's password:
>
> challenge/response password authentication failed
>
> wbcAuthenticateUserEx(NTDOM\someTestUser): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
>
> error message was: Wrong Password
>
> Could not authenticate user NTDOM\someTestUser with challenge/response
>
> And same result for : wbinfo -a  [hidden email]
>
>  
>
> If a default setting is like :  client plaintext auth = no
>
> why do i get : plaintext password authentication succeeded
>
>  
>
> What is missing in my setup? Or do i have to setup a less secure AD DC to make this work?
>
> Im still having a hard time to figure out if a setting is ADDC or member only and man smb.conf isnt telling me what i need to know.
>
>  
>
> so i dont get it.  :-((  Help :-))
>
>  
>
> Any assistance here is very welkom.  ;-)
>
>  
>
>  
>
> Greetz,
>
>  
>
> Louis
>
>  
>
>  
>

--

       
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
[hidden email]
skype: vinicius.bones.silva

       







        Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com
base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a
E-TRUST, enviando um e-mail para [hidden email]. Opiniões, conclusões ou
informações contidas nesta mensagem não necessariamente refletem a posição oficial da
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the
intended recipients only. If you are not an intended recipient then you should not
disseminate, copy, or take any action based on its contents. If you have received this
message in error then please notify E-TRUST by sending an e-mail message to
[hidden email] immediately. Views and opinions expressed in this message do not
necessarily reflect the position of E-TRUST. If this message is digitally signed, its
authenticity can be confirmed by E-TRUST Private Certificate Authority, available at
www.e-trust.com.br.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: question about ntlm

Samba - General mailing list
A1) yes, i test as root.

A2) wbinfo --ntlmv2 -a "someTestUser"
        wbinfo --ntlmv2 -a "NTDOM\someTestUser"
        wbinfo --ntlmv2 -a "[hidden email]"

These all work with default settings.
raw NTLMv2 auth = no
ntlm auth = no
lanman auth = no


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Vinicius Bones
> Silva via samba
> Verzonden: woensdag 15 februari 2017 15:48
> Aan: [hidden email]
> Onderwerp: Re: [Samba] question about ntlm
>
> 1) the user you are running wbinfo with, has access to the
> winbind_privileged folder?
> 2) does running "wbinfo --ntlmv2 -a 'DOMAIN\sometestuser' " changes the
> response you have?
>
> Em 15/02/2017 12:24, L.P.H. van Belle via samba escreveu:
> > Hai,
> >
> >
> >
> > Since im still having problems reading the man smb.conf about the NTLM
> settings, im asking here.
> >
> > How do i allow NTLM auth for my proxy.
> >
> >
> >
> > I have been playing around with :
> >
> >
> >
> >          client NTLMv2 auth
> >
> >          raw NTLMv2 auth
> >
> >          ntlm auth
> >
> >          lanman auth
> >
> >
> >
> > i?ve added the proxy user to the winbind_privileged group.
> >
> > and did set the needed rights.
> >
> > chgrp winbindd_priv /var/lib/samba/winbindd_privileged/
> >
> > adduser proxy winbindd_priv
> >
> >
> >
> > Im trying to keep as much as possible to the default settings.
> >
> > Im testing the following.
> >
> >
> >
> > ntlm_auth --request-nt-key --username=someTestUser
> >
> > ntlm_auth --request-lm-key --username=someTestUser
> >
> > ntlm_auth --username=someTestUser --ntlmv2
> >
> > ntlm_auth --username=someTestUser ?lanman
> >
> > ntlm_auth --username=someTestUser --krb5auth=someTestUser
> >
> > ntlm_auth --diagnostics --username=someTestUser
> >
> > wbinfo -a someTestUser
> >
> > wbinfo --krb5auth=someTestUser
> >
> > wbinfo --krb5auth='NTDOM\someTestUser'
> >
> > wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD?
> >
> >
> >
> >
> >
> > Situation .
> >
> > Samba AD DC. 4.5.3
> >
> > Config : ( left out the shares, the question is about auth )
> >
> > [global]
> >
> >          workgroup = NTDOM
> >
> >          realm = INTERNAL.DOMAIN.TLD
> >
> >          netbios name = DC1
> >
> >          server role = active directory domain controller
> >
> >          server services = -dns
> >
> >          interfaces = 192.168.0.1 127.0.0.1
> >
> >          bind interfaces only = yes
> >
> >          time server = yes
> >
> >          idmap_ldb:use rfc2307 = yes
> >
> >          winbind nss info = rfc2307
> >
> >          winbind expand groups = 4
> >
> >          template shell = /bin/bash
> >
> >          template homedir = /home/users/%U
> >
> >          tls enabled = yes
> >
> >
> >
> > My client setup.
> >
> > Samba member 4.5.5  ( and testing 4.5.3 also )
> >
> > [global]
> >
> >      workgroup = NTDOM
> >
> >      security = ads
> >
> >      realm = INTERNAL.DOMAIN.TLD
> >
> >      netbios name = PROXY2
> >
> >      preferred master = no
> >
> >      domain master = no
> >
> >      host msdfs = no
> >
> >      interfaces = 192.168.0.2 127.0.0.1
> >
> >      bind interfaces only = yes
> >
> >      dns proxy = yes
> >
> >      tls enabled = yes
> >
> >      idmap config *:backend = tdb
> >
> >      idmap config *:range = 2000-9999
> >
> >      idmap config NTDOM : backend = ad
> >
> >      idmap config NTDOM : schema_mode = rfc2307
> >
> >      idmap config NTDOM : range = 10000-3999999
> >
> >      dedicated keytab file = /etc/krb5.keytab
> >
> >      kerberos method = secrets and keytab
> >
> >      winbind refresh tickets = yes
> >
> >      winbind nss info = rfc2307
> >
> >      winbind trusted domains only = no
> >
> >      winbind offline logon = yes
> >
> >      winbind expand groups = 4
> >
> >
> >
> >
> >
> > Now im asking, where do we set what to make this work.
> >
> >
> >
> > When i set in my proxy smb.conf
> >
> >      lanman auth = yes
> >
> >      raw NTLMv2 auth = yes
> >
> >      ntlm auth = yes
> >
> > im getting the same results as with above but =no
> >
> >
> >
> > and im testing:
> >
> >
> >
> > wbinfo -a "NTDOM\someTestUser"
> >
> > Enter NTDOM\someTestUser's password:
> >
> > plaintext password authentication succeeded
> >
> > Enter NTDOM\someTestUser's password:
> >
> > challenge/response password authentication failed
> >
> > wbcAuthenticateUserEx(NTDOM\someTestUser): error code was
> NT_STATUS_WRONG_PASSWORD (0xc000006a)
> >
> > error message was: Wrong Password
> >
> > Could not authenticate user NTDOM\someTestUser with challenge/response
> >
> > And same result for : wbinfo -a  [hidden email]
> >
> >
> >
> > If a default setting is like :  client plaintext auth = no
> >
> > why do i get : plaintext password authentication succeeded
> >
> >
> >
> > What is missing in my setup? Or do i have to setup a less secure AD DC
> to make this work?
> >
> > Im still having a hard time to figure out if a setting is ADDC or member
> only and man smb.conf isnt telling me what i need to know.
> >
> >
> >
> > so i dont get it.  :-((  Help :-))
> >
> >
> >
> > Any assistance here is very welkom.  ;-)
> >
> >
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
> >
> >
>
> --
>
>
> Vinicius Silva
> SOC
>
>
> BRA: + 55 51 2117.1000 | 55 11 5521.2021
> USA: + 1 888 259.5801
> [hidden email]
> skype: vinicius.bones.silva
>
>
>
>
>
>
>
>
>
> Smiley face
>
> www.e-trust.com.br <http://www.e-trust.com.br/>
>
>
> Esta mensagem pode conter informações confidenciais ou privilegiadas. Se
> você recebeu esta
> mensagem por engano, você não deve usar, copiar, divulgar ou tomar
> qualquer atitude com
> base nestas informações. Solicitamos que você apague a mensagem
> imediatamente e avise a
> E-TRUST, enviando um e-mail para [hidden email]. Opiniões,
> conclusões ou
> informações contidas nesta mensagem não necessariamente refletem a posição
> oficial da
> E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode
> ser confirmada
> pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-
> trust.com.br.
>
> This message may contain privileged and confidential information for the
> use of the
> intended recipients only. If you are not an intended recipient then you
> should not
> disseminate, copy, or take any action based on its contents. If you have
> received this
> message in error then please notify E-TRUST by sending an e-mail message
> to
> [hidden email] immediately. Views and opinions expressed in this
> message do not
> necessarily reflect the position of E-TRUST. If this message is digitally
> signed, its
> authenticity can be confirmed by E-TRUST Private Certificate Authority,
> available at
> www.e-trust.com.br.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...