[Samba] samba 4.4.2 freeradius authentication with ntlm_auth
lmunro at inverse.ca
Fri Apr 15 21:48:22 UTC 2016
> On Apr 15, 2016, at 15:06 , Andrew Bartlett <abartlet at samba.org> wrote:
> Yes, this really, really sucks. MSCHAPv2 is NTLM, not NTLMv2 based.
> This is despite NTLMv2 being around when they 'designed' this
> mechanism. Sadly no attempt has been made to somehow get an MSCHAPv3
> in that uses NTLMv2.
> On Windows, setting a special flag allows this horrible insecure
> mechanism to work on networks that otherwise only allow NTLMv2. Samba
> does not honour that flag, but I guess I'm going to need to add a
> 'ntlm_auth = only_for_mschapv2' setting.
> In short, MSCHAPv2 protects the network perimeter, yet has worse
> security then you would dare to use even on a well-trusted network.
> I realise it is often over TLS, but as with another of our CVEs, we
> know few clients check certificates, so this isn't any help.
> I've been in presentations where they said they could crack it in 24
> hours and $100 of could-compute time!
> I don't know of a good solution here.
Just to make sure I understand this thoroughly and that there is no ambiguity:
I knew that MSCHAPv2 is easily broken these days.
I also realize that in the case of FreeRADIUS the MSCHAPv2 authentication terminates at the the radius server, inside a TLS tunnel.
The question for me then is how secure is the ntlmv1 going from FreeRADIUS (via winbind) to the Active Directory server?
I am a bit afraid of the answer to be honest.
Should we start investing in IPsec for that part of the authentication?
Thank you for your help,
More information about the samba