[Samba] Using ntlm_auth to authneticate to an NTLMv2 AD
Alex Sharaz
A.Sharaz at hull.ac.uk
Fri Mar 10 08:28:24 GMT 2006
While we're trying to get the tracing for this, I was wondering if there
was another solution we could implement.
Our AD team have put my linux box into its own part of the AD tree i.e.
ou=linux,dc=hull, dc=ac,dc=uk
I don't know anything about AD but was wondering if it were possible to
change the security requirements for the "linux" portion of the tree to
be NTLM. I know this works
Would this be doable?
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: 10 March 2006 06:56
To: Alex Sharaz
Cc: samba at lists.samba.org
Subject: Re: [Samba] Using ntlm_auth to authneticate to an NTLMv2 AD
On Thu, 2006-03-09 at 16:48 +0000, Alex Sharaz wrote:
> Chaps,
>
> I'm trying to get a radius server to authenticate to AD via the samba
> ntlm_auth program.
> If we turn down the AD auth to use ntlm then authentication works
o.k.
The problem is that MSCHAPv2 is cryptographically equivalent to NTLM,
not NTLMv2 at the DC end. I suspect there is a flag we need to send to
the DC, to make it ignore it's own policy here.
Any help chasing this down gratefully appreciated: Mostly I need to see
how an MS RADIUS server would achieve the same results, but with 'secure
channel: require signing' set, rather than sealing (it is a local/domain
policy). (This will allow the collection of an ethereal trace between
the RADIUS server and the DC).
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
More information about the samba
mailing list