[Samba] [EXTERNAL] Re: Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?
Glenn Machin
gmachin at sandia.gov
Mon Mar 5 10:54:13 MST 2012
So what is the flag that should be set? From librpc/gen_ndr/netlogon.h
I see MSV1_0_ALLOW_MSVCHAPV2. Is that the flag that needs to be set?
I can't seem to find any documentation on that particular flag.
Glen
On 3/3/12 12:04 AM, Andrew Bartlett wrote:
> On Fri, 2012-03-02 at 15:08 +0100, NdK wrote:
>> Il 01/03/2012 22:09, Glenn Machin ha scritto:
>>
>>> I am using freeradius2 which then calls ntlm_auth passing the
>>> nt-response and challenge generated as part of the peap mschapv2
>>> exchange. However it does not seem to want to work. The version of
>>> samba I am using is samba3x-3.5.10.
>> I've recently setup a Squeeze box with FR and samba. Have had to use
>> "backports" repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave
>> troubles. Upgrading to 3.5.11 solved.
> The big issue here is that MSCHAPv2 is not NTLMv2. It is only a little
> more secure than NTLM. There is a flag in logon_parameters that the
> domain member can set (and which Samba should set) that indicates that
> this particular authentication should be regarded as NTLMv2 however. we
> need to confirm it should be set in this situation. (This is the same
> logon_parameters that carries the 'allow machine account authentication'
> flag).
>
> I dislike the 'lie', but I'm very happy to review such a patch, I just
> keep forgetting to add the handling for this myself.
>
> Andrew Bartlett
>
More information about the samba
mailing list