[Samba] Using ntlm_auth to authneticate to an NTLMv2 AD

Alex Sharaz A.Sharaz at hull.ac.uk
Fri Mar 10 08:28:24 GMT 2006

While we're trying to get the tracing for this, I was wondering if there
was another solution we could implement. 

Our AD team have put my linux box into its own part of the AD tree i.e.
ou=linux,dc=hull, dc=ac,dc=uk

I don't know anything about AD but was wondering if it were possible to
change the security requirements for the "linux" portion of the tree to
be NTLM. I know this works

Would this be doable?

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: 10 March 2006 06:56
To: Alex Sharaz
Cc: samba at lists.samba.org
Subject: Re: [Samba] Using ntlm_auth to authneticate to an NTLMv2 AD

On Thu, 2006-03-09 at 16:48 +0000, Alex Sharaz wrote:
> Chaps,
> I'm trying to get a radius server to authenticate to AD via the samba
> ntlm_auth program.

>  If we turn down the AD auth to use ntlm then authentication works

The problem is that MSCHAPv2 is cryptographically equivalent to NTLM,
not NTLMv2 at the DC end.  I suspect there is a flag we need to send to
the DC, to make it ignore it's own policy here.

Any help chasing this down gratefully appreciated:  Mostly I need to see
how an MS RADIUS server would achieve the same results, but with 'secure
channel: require signing' set, rather than sealing (it is a local/domain
policy).  (This will allow the collection of an ethereal trace between
the RADIUS server and the DC).

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

More information about the samba mailing list