[Samba] samba 4.4.2 freeradius authentication with ntlm_auth

Louis Munro lmunro at inverse.ca
Fri Apr 15 21:48:22 UTC 2016

> On Apr 15, 2016, at 15:06 , Andrew Bartlett <abartlet at samba.org> wrote:
> Yes, this really, really sucks.  MSCHAPv2 is NTLM, not NTLMv2 based. 
> This is despite NTLMv2 being around when they 'designed' this
> mechanism.  Sadly no attempt has been made to somehow get an MSCHAPv3
> in that uses NTLMv2.
> On Windows, setting a special flag allows this horrible insecure
> mechanism to work on networks that otherwise only allow NTLMv2.  Samba
> does not honour that flag, but I guess I'm going to need to add a
> 'ntlm_auth = only_for_mschapv2' setting.
> In short, MSCHAPv2 protects the network perimeter, yet has worse
> security then you would dare to use even on a well-trusted network. 
> I realise it is often over TLS, but as with another of our CVEs, we
> know few clients check certificates, so this isn't any help.
> I've been in presentations where they said they could crack it in 24
> hours and $100 of could-compute time!
> I don't know of a good solution here.

Hi Andrew,

Just to make sure I understand this thoroughly and that there is no ambiguity:

I knew that MSCHAPv2 is easily broken these days. 
I also realize that in the case of FreeRADIUS the MSCHAPv2 authentication terminates at the the radius server, inside a TLS tunnel.

The question for me then is how secure is the ntlmv1 going from FreeRADIUS (via winbind) to the Active Directory server?
I am a bit afraid of the answer to be honest.

Should we start investing in IPsec for that part of the authentication?

Thank you for your help,
Louis Munro

More information about the samba mailing list