[Samba] ntlm_auth to AD with only ntlmv2 enabled failing

Andrew Bartlett abartlet at samba.org
Fri Apr 27 07:20:05 GMT 2007

On Thu, 2007-04-26 at 15:51 -0500, Mary Stevens wrote:
> Hello,
> We have samba 3.0.23 installed. We are using free radius to take
> authentication requests from a nortel vpn server and using ntlm_auth
> trying to authenticate users against AD.
> This setup works fine when on the AD side ntlmv1 and ntlmv2 are enabled.
> (IE. Users can authenticate).
> However, when only ntlmv2 is enabled users are unable to authenticate.
> I have searched various places and while I have seen a couple of other
> questions about getting this to work, I haven't found any answers.

The problem is, MSCHAPv2 *is* ntlm1, so everything is working exactly as
expected.  Microsoft clearly has a workaround, allowing the member
server to say 'pretend this is NTLMv2, even if it is not', to allow
RADIUS to work.  

I need to see clear (ie, disable schannel protection) traces of this
traffic (and comparisons with NTLMv1 requests) to determine the flag in
use, so that we can reproduce the behaviour. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20070427/b44ccbf2/attachment.bin

More information about the samba mailing list