[Samba] Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?

Andrew Bartlett abartlet at samba.org
Sat Mar 3 00:04:47 MST 2012


On Fri, 2012-03-02 at 15:08 +0100, NdK wrote:
> Il 01/03/2012 22:09, Glenn Machin ha scritto:
> 
> > I am using freeradius2 which then calls ntlm_auth passing the
> > nt-response and challenge generated as part of the peap mschapv2
> > exchange.   However it does not seem to want to work.  The version of
> > samba I am using is samba3x-3.5.10.
> I've recently setup a Squeeze box with FR and samba. Have had to use
> "backports" repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave
> troubles. Upgrading to 3.5.11 solved.

The big issue here is that MSCHAPv2 is not NTLMv2.  It is only a little
more secure than NTLM.  There is a flag in logon_parameters that the
domain member can set (and which Samba should set) that indicates that
this particular authentication should be regarded as NTLMv2 however.  we
need to confirm it should be set in this situation.  (This is the same
logon_parameters that carries the 'allow machine account authentication'
flag).  

I dislike the 'lie', but I'm very happy to review such a patch, I just
keep forgetting to add the handling for this myself. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba mailing list