[Samba] Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?
Andrew Bartlett
abartlet at samba.org
Sat Mar 3 20:32:17 MST 2012
On Sat, 2012-03-03 at 12:16 +0100, NdK wrote:
> Il 03/03/2012 08:04, Andrew Bartlett ha scritto:
>
> >> I've recently setup a Squeeze box with FR and samba. Have had to use
> >> "backports" repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave
> >> troubles. Upgrading to 3.5.11 solved.
> > The big issue here is that MSCHAPv2 is not NTLMv2. It is only a little
> > more secure than NTLM. There is a flag in logon_parameters that the
> FR runs ntlm_auth to obtain NT key. So, IIUC, it should do an NTLMv2
> auth in the last step. Am I wrong?
MSCHAPv2 is a derivation of NTLM, not NTLMv2. FreeRadius sends the
(effective) challenge (based on client and server chosen values, and
salt), and the NT response. ntlm_auth returns the user session key to
allow FreeRADIUS's client (the VPN endpoint etc) to encrypt the
session.
There is no way to 'upgrade' that to NTLMv2, as NTLMv2 is a different
cryptosystem on input and output.
What you can however do is set a flag telling the DC 'pretend this was
NTLMv2 for the purposes of the NTLMv2 only rule'. We need to work out
if this the right thing to do.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list