[Samba] samba 4.4.2 freeradius authentication with ntlm_auth
abartlet at samba.org
Fri Apr 15 19:06:43 UTC 2016
On Fri, 2016-04-15 at 14:06 +0300, barış tombul wrote:
> Samba team say "It is recommended that administrators set these
> options, if compatible with their network environment:"
> ntlm auth = no
> I use samba with FreeRadius.
> I configure "ntlm_ auth = no" but freeradius users not connected to
> I use ntlm_auth in FreeRadius side..
Yes, this really, really sucks. MSCHAPv2 is NTLM, not NTLMv2 based.
This is despite NTLMv2 being around when they 'designed' this
mechanism. Sadly no attempt has been made to somehow get an MSCHAPv3
in that uses NTLMv2.
On Windows, setting a special flag allows this horrible insecure
mechanism to work on networks that otherwise only allow NTLMv2. Samba
does not honour that flag, but I guess I'm going to need to add a
'ntlm_auth = only_for_mschapv2' setting.
In short, MSCHAPv2 protects the network perimeter, yet has worse
security then you would dare to use even on a well-trusted network.
I realise it is often over TLS, but as with another of our CVEs, we
know few clients check certificates, so this isn't any help.
I've been in presentations where they said they could crack it in 24
hours and $100 of could-compute time!
I don't know of a good solution here.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba