[Samba] samba 4.4.2 freeradius authentication with ntlm_auth

Louis Munro lmunro at inverse.ca
Fri Apr 15 13:17:23 UTC 2016

> On Apr 15, 2016, at 7:45 , Luca Olivetti <luca at wetron.es> wrote:
> El 15/04/16 a les 13:06, barış tombul ha escrit:
>> Hi;
>> Samba team say "It is recommended that administrators set these additional
>> options, if compatible with their network environment:"
>> ntlm auth = no
> "The problem here is that Samba doesn't have any way to set
> MSV1_0_ALLOW_MSVCHAPV2 when calling the relevant RPC. This is a trivial,
> one-bit flag."
> I don't know if this "trivial one-bit flag" made into samba or not :-(

I’ve also been reading the same posts since Tuesday, trying to figure out what is the actual exposure when running a (patched) AD and (patched) winbind.

It seems to come down to one question.

Assuming ntlm_auth sending NTLMv1 and that someone was able to intercept traffic between winbindd and Active-Directory, how secure is the encryption?
Are we only relying on the hashing of the password? 
Or is there a more secure type of encryption between winbind and Active-Directory which prevents collecting traffic and then getting the passwords out using something like a rainbow table, as the badlock website seems to imply?

Does anyone know the answer to that one? 

Louis Munro

More information about the samba mailing list