[Samba] [EXTERNAL] Re: Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?
Glenn Machin
gmachin at sandia.gov
Tue Mar 6 19:52:35 MST 2012
Well I cannot provide proof that the Microsoft radius server is setting
the bit. However setting the MSV1_0_ALLOW_MSVCHAPV2 bit in the
request.data.auth_crap.logon_parameters of the
contact_winbind_auth_crap() function fixes the issue with ntlm_auth not
being able to authenticate mschapv2 to a W2008 DC where the
LMCompatibility level is set to 5 => " Clients use only NTLMv2
authentication, and they use NTLMv2 session security if the server
supports it. Domain controller refuses LM and NTLM authentication
responses, but it accepts NTLMv2".
ntlm_auth.c:
request.data.auth_crap.logon_parameters =
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_MSVCHAPV2 ;
Glenn
On 3/5/12 1:19 PM, Andrew Bartlett wrote:
> On Mon, 2012-03-05 at 10:54 -0700, Glenn Machin wrote:
>> So what is the flag that should be set? From librpc/gen_ndr/netlogon.h
>> I see MSV1_0_ALLOW_MSVCHAPV2. Is that the flag that needs to be set?
>> I can't seem to find any documentation on that particular flag.
> http://msdn.microsoft.com/en-us/library/cc237070%28v=prot.13%29.aspx is
> the only clue I have.
>
> It would be great if we could see some proof that this is set by
> Microsoft's RADIUS server in the same situation, just to be sure we
> understand it. Or we can ask Microsoft.
>
> Andrew Bartlett
More information about the samba
mailing list