[Samba] NTLM, MSCHAPv2, squid & freeradius...
Andrew Bartlett
abartlet at samba.org
Thu Jan 11 02:07:13 UTC 2018
On Wed, 2018-01-10 at 17:10 +0100, Marco Gaiarin via samba wrote:
> Currently (samba 4 NT-like domains) i use extensively NTLM auth in
> freeradius and more mildly in squid, respectively with:
>
> Freeradius (mschap module):
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=SANVITO --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
> squid3:
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=SANVITO --require-membership-of="SANVITO\\domusers"
>
>
> I'm using debian jessie, with Louis backport packages, eg:
> samba: 2:4.5.12+dfsg-2~bpo8+1
> squid3: 3.4.8-6+deb8u4
> freeradius: 2.2.5+dfsg-0.2+deb8u1
>
>
> Two question.
>
> a) i have to expect troubles? Eg, something changed between NT and AD
> mode that can breaks all the stuff?
>
> b) there's some better way to integrate an AD domain with
> squid/freeradius?
That all looks fine. In newer Samba versions NTLMv1 (as used in
MSCHAPv2) is disabled by default, see the ntlm auth parameter for
details.
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list