• [Samba] challenge/response problem in 4.5.5

    From ray klassen via samba@21:1/5 to All on Sun Mar 12 08:30:02 2017
    configuration info
    all of my domain controllers have been debian based samba tarball compiles. The tarballs have, when I've had a space to upgrade them, been the latest stable version. Only my temporary DC is a stock debian samba package.

    On Saturday, 11 March 2017, 23:00, ray klassen <julius_ahenobarbus@yahoo.co.uk> wrote:


    freely quoting from something I posted on #samba a couple of hours ago

    ###########
    it appears that challenge/response is actually broken in 4.5.5 Have upgraded 4 dc's and now winbind/freeradius does not work.
    focused on the radius box thinking that was the problem -- till I finally ran

    wbinfo -a user%password

    on all the dc's and they all behaved the same. -> plaintext succeeded challenge/response failed.
    Configured up yet another dc running 4.2 and on that one challenge/response works

    is there any way to temporarily force the freeradius unit to talk only to the 4.2 dc?   --  It looks like you can force -S servername on net ads join. Will that stay, though?
    ##########

    I managed to get my freeradius up and running using net join -S. Now winbind sends its queries to the server based on the current debian 4.2 package. I'm on pins and needles though thinking that it might switch. (I also have "password server" set in smb.
    conf which I know I'm not supposed to do). So much is riding on that radius server being functional

    Issues.
    1) I would have posted this on bugzilla, but it doesn't present me with an account creation form when I click on new account. but I'm ready to give results from any requested tests
    2) It's entirely possible that I am framing this wrongly. that there is some other issue that is causing challenge/response to fail. I'm not seeing any reference to it in samba release change logs in the releases since.
    3) It looks like someone else posted a similar problem about a 4.6.0 git compile in September but didn't answer when Roland asked for further info. I'll do my best to send as much info as necessary
    4) I'm a little gun-shy now of the 'stable' designation on the samba wiki site. It's been a stressful couple of days.
    5) There must be other functionality suffering from not being able to do challenge/response



    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From ray klassen via samba@21:1/5 to All on Sun Mar 12 08:30:02 2017
    freely quoting from something I posted on #samba a couple of hours ago

    ###########
    it appears that challenge/response is actually broken in 4.5.5 Have upgraded 4 dc's and now winbind/freeradius does not work.
    focused on the radius box thinking that was the problem -- till I finally ran

    wbinfo -a user%password

    on all the dc's and they all behaved the same. -> plaintext succeeded challenge/response failed.
    Configured up yet another dc running 4.2 and on that one challenge/response works

    is there any way to temporarily force the freeradius unit to talk only to the 4.2 dc?   --  It looks like you can force -S servername on net ads join. Will that stay, though?
    ##########

    I managed to get my freeradius up and running using net join -S. Now winbind sends its queries to the server based on the current debian 4.2 package. I'm on pins and needles though thinking that it might switch. (I also have "password server" set in smb.
    conf which I know I'm not supposed to do). So much is riding on that radius server being functional

    Issues.
    1) I would have posted this on bugzilla, but it doesn't present me with an account creation form when I click on new account. but I'm ready to give results from any requested tests
    2) It's entirely possible that I am framing this wrongly. that there is some other issue that is causing challenge/response to fail. I'm not seeing any reference to it in samba release change logs in the releases since.
    3) It looks like someone else posted a similar problem about a 4.6.0 git compile in September but didn't answer when Roland asked for further info. I'll do my best to send as much info as necessary
    4) I'm a little gun-shy now of the 'stable' designation on the samba wiki site. It's been a stressful couple of days.
    5) There must be other functionality suffering from not being able to do challenge/response
    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew Bartlett via samba@21:1/5 to ray klassen via samba on Sun Mar 12 09:20:02 2017
    On Sun, 2017-03-12 at 07:04 +0000, ray klassen via samba wrote:
    is there any way to temporarily force the freeradius unit to talk
    only to the 4.2 dc?   --  It looks like you can force -S servername
    on net ads join. Will that stay, though?

    If your issue is FreeRADIUS, then presumably you are using MSCHAPv2,
    and it is the first item in the WHATSNEW:

    https://www.samba.org/samba/history/samba-4.5.0.html

    Setting 'ntlm auth = yes' should help.

    Andrew Bartlett

    --
    Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
    Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba


    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From ray klassen via samba@21:1/5 to ray klassen via samba on Sun Mar 12 15:10:02 2017
    Well yes it did then. Thank you!
    but then it is interesting that "wbinfo -a" would also report a simple failure. To me "plaintext" authorization looks(!) basic and "challenge/response" looks(!) more advanced.
    The impression is that there is something missing that should(!)  be working.



    On Sunday, 12 March 2017, 0:14, Andrew Bartlett via samba <samba@lists.samba.org> wrote:


    On Sun, 2017-03-12 at 07:04 +0000, ray klassen via samba wrote:
    is there any way to temporarily force the freeradius unit to talk
    only to the 4.2 dc?   --  It looks like you can force -S servername
    on net ads join. Will that stay, though?

    If your issue is FreeRADIUS, then presumably you are using MSCHAPv2,
    and it is the first item in the WHATSNEW:

    https://www.samba.org/samba/history/samba-4.5.0.html

    Setting 'ntlm auth = yes' should help.

    Andrew Bartlett

    --
    Andrew Bartlett                      http://samba.org/~abartlet/ Authentication Developer, Samba Team  http://samba.org
    Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


    --
    To unsubscribe from this list go to the following URL and read the instructions:  https://lists.samba.org/mailman/options/samba



    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)