[Samba] Using ntlm_auth to authneticate to an NTLMv2 AD

Andrew Bartlett abartlet at samba.org
Fri Mar 10 06:55:52 GMT 2006

On Thu, 2006-03-09 at 16:48 +0000, Alex Sharaz wrote:
> Chaps,
> I'm trying to get a radius server to authenticate to AD via the samba
> ntlm_auth program.

>  If we turn down the AD auth to use ntlm then authentication works o.k.

The problem is that MSCHAPv2 is cryptographically equivalent to NTLM,
not NTLMv2 at the DC end.  I suspect there is a flag we need to send to
the DC, to make it ignore it's own policy here.

Any help chasing this down gratefully appreciated:  Mostly I need to see
how an MS RADIUS server would achieve the same results, but with 'secure
channel: require signing' set, rather than sealing (it is a local/domain
policy).  (This will allow the collection of an ethereal trace between
the RADIUS server and the DC).

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20060310/4a4f90cf/attachment.bin

More information about the samba mailing list