[Samba] NTLM, MSCHAPv2, squid & freeradius...

Andrew Bartlett abartlet at samba.org
Thu Jan 11 02:07:13 UTC 2018

On Wed, 2018-01-10 at 17:10 +0100, Marco Gaiarin via samba wrote:
> Currently (samba 4 NT-like domains) i use extensively NTLM auth in
> freeradius and more mildly in squid, respectively with:
> Freeradius (mschap module):
>   ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=SANVITO --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
> squid3:
>   auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=SANVITO --require-membership-of="SANVITO\\domusers"
> I'm using debian jessie, with Louis backport packages, eg:
>  samba: 2:4.5.12+dfsg-2~bpo8+1
>  squid3: 3.4.8-6+deb8u4
>  freeradius: 2.2.5+dfsg-0.2+deb8u1
> Two question.
> a) i have to expect troubles? Eg, something changed between NT and AD
>  mode that can breaks all the stuff?
> b) there's some better way to integrate an AD domain with
>  squid/freeradius?

That all looks fine.  In newer Samba versions NTLMv1 (as used in
MSCHAPv2) is disabled by default, see the ntlm auth parameter for

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba mailing list