[Samba] samba 4.4.2 freeradius authentication with ntlm_auth

Andrew Bartlett abartlet at samba.org
Fri Apr 15 19:06:43 UTC 2016

On Fri, 2016-04-15 at 14:06 +0300, barış tombul wrote:
> Hi;
> Samba team say "It is recommended that administrators set these
> additional
> options, if compatible with their network environment:"
> ntlm auth = no
> I use samba with FreeRadius.
> I configure "ntlm_ auth = no"  but freeradius users not connected to
> wifi.
> I use ntlm_auth in FreeRadius side..

Yes, this really, really sucks.  MSCHAPv2 is NTLM, not NTLMv2 based. 
 This is despite NTLMv2 being around when they 'designed' this
mechanism.  Sadly no attempt has been made to somehow get an MSCHAPv3
in that uses NTLMv2.

On Windows, setting a special flag allows this horrible insecure
mechanism to work on networks that otherwise only allow NTLMv2.  Samba
does not honour that flag, but I guess I'm going to need to add a
'ntlm_auth = only_for_mschapv2' setting.

In short, MSCHAPv2 protects the network perimeter, yet has worse
security then you would dare to use even on a well-trusted network. 

I realise it is often over TLS, but as with another of our CVEs, we
know few clients check certificates, so this isn't any help.

I've been in presentations where they said they could crack it in 24
hours and $100 of could-compute time!

I don't know of a good solution here.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list