[Samba] samba 4.4.2 freeradius authentication with ntlm_auth

Andrew Bartlett abartlet at samba.org
Fri Apr 15 22:11:25 UTC 2016

On Fri, 2016-04-15 at 17:48 -0400, Louis Munro wrote:
> > On Apr 15, 2016, at 15:06 , Andrew Bartlett <abartlet at samba.org>
> > wrote:
> > 
> > 
> > Yes, this really, really sucks.  MSCHAPv2 is NTLM, not NTLMv2
> > based. 
> > This is despite NTLMv2 being around when they 'designed' this
> > mechanism.  Sadly no attempt has been made to somehow get an
> > MSCHAPv3
> > in that uses NTLMv2.
> > 
> > On Windows, setting a special flag allows this horrible insecure
> > mechanism to work on networks that otherwise only allow NTLMv2. 
> >  Samba
> > does not honour that flag, but I guess I'm going to need to add a
> > 'ntlm_auth = only_for_mschapv2' setting.
> > 
> > In short, MSCHAPv2 protects the network perimeter, yet has worse
> > security then you would dare to use even on a well-trusted network.
> > 
> > I realise it is often over TLS, but as with another of our CVEs, we
> > know few clients check certificates, so this isn't any help.
> > 
> > I've been in presentations where they said they could crack it in
> > 24
> > hours and $100 of could-compute time!
> > 
> > I don't know of a good solution here.
> > 
> Hi Andrew,
> Just to make sure I understand this thoroughly and that there is no
> ambiguity:
> I knew that MSCHAPv2 is easily broken these days. 
> I also realize that in the case of FreeRADIUS the MSCHAPv2
> authentication terminates at the the radius server, inside a TLS
> tunnel.

Yes.  The presentations I attended at kiwicon last year cast doubt on
the security of that from an active attacker (trivial for Wifi), but
yes, for passive monitoring it should be OK.

> The question for me then is how secure is the ntlmv1 going from
> FreeRADIUS (via winbind) to the Active Directory server?
> I am a bit afraid of the answer to be honest.

That is well protected in a modern winbindd.  We require schannel to
encrypt this communication over the NETLOGON pipe.

> Should we start investing in IPsec for that part of the
> authentication?

There is no need for that specific element.

I hope this clarifies things,

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list