[Samba] [EXTERNAL] Re: Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?
Andrew Bartlett
abartlet at samba.org
Tue Mar 6 19:55:39 MST 2012
On Tue, 2012-03-06 at 19:52 -0700, Glenn Machin wrote:
> Well I cannot provide proof that the Microsoft radius server is
> setting the bit. However setting the MSV1_0_ALLOW_MSVCHAPV2 bit in
> the request.data.auth_crap.logon_parameters of the
> contact_winbind_auth_crap() function fixes the issue with ntlm_auth
> not being able to authenticate mschapv2 to a W2008 DC where the
> LMCompatibility level is set to 5 => " Clients use only NTLMv2
> authentication, and they use NTLMv2 session security if the server
> supports it. Domain controller refuses LM and NTLM authentication
> responses, but it accepts NTLMv2".
>
> ntlm_auth.c:
> request.data.auth_crap.logon_parameters =
> MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
> MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_MSVCHAPV2 ;
Thanks. I'll try and sort this out, and check if NTLM2 session security
(NTLMSSP) also sets this. Shouldn't be too hard with a Windows member
of Samba4.
I'm sorry this has taken so many years.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list