[Samba] ntlm_auth to AD with only ntlmv2 enabled failing
Andrew Bartlett
abartlet at samba.org
Fri Apr 27 07:20:05 GMT 2007
On Thu, 2007-04-26 at 15:51 -0500, Mary Stevens wrote:
> Hello,
>
> We have samba 3.0.23 installed. We are using free radius to take
> authentication requests from a nortel vpn server and using ntlm_auth
> trying to authenticate users against AD.
>
> This setup works fine when on the AD side ntlmv1 and ntlmv2 are enabled.
> (IE. Users can authenticate).
>
> However, when only ntlmv2 is enabled users are unable to authenticate.
> I have searched various places and while I have seen a couple of other
> questions about getting this to work, I haven't found any answers.
The problem is, MSCHAPv2 *is* ntlm1, so everything is working exactly as
expected. Microsoft clearly has a workaround, allowing the member
server to say 'pretend this is NTLMv2, even if it is not', to allow
RADIUS to work.
I need to see clear (ie, disable schannel protection) traces of this
traffic (and comparisons with NTLMv1 requests) to determine the flag in
use, so that we can reproduce the behaviour.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20070427/b44ccbf2/attachment.bin
More information about the samba
mailing list