[Samba] freeradius + NTLM + samba AD 4.5.x

Kacper Wirski kacper.wirski at gmail.com
Mon Mar 26 13:27:02 UTC 2018

It is an issue that I myself would also like to solve.
I found multiple threads in samba and freeradius mailing lists. It seems 
that every couple of months there is question like this either here on 
FR mailing list and all point down to the same issue, that is:
freeradius uses ntlm_auth (even when using winbind with newer freeradius 
versions, it also in the end uses ntlm_auth). And since mschapv2 is 
needed for eap-peap, and it has to use ntlmv1.
The only solution that I read about, but not actually tested is in this 
old thread:

I'm not sure if it works, or is there some other workaround. As far as I 
understand there is a special "flag" that can be send with freeradius, 
that will force ntlmv1-mschpav2 response from AD DC even if ntlmv1 is 
overall disabled, that is how supposedly Microsoft solved it with their 
ad/nps implementation..

Maybe someone here wil have better advice?

Kacper Wirski
W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze:
> On Mon, 26 Mar 2018 14:06:24 +0200
> "Dr. Peer-Joachim Koch via samba" <samba at lists.samba.org> wrote:
>> Hi,
>> we have updated our samba AD domain from 4.4.x to 4.5.x.
>> The release notes for 4.5.0 included  "NTLMv1 authentication disabled
>> by default".
>> So we had to enable it to get our radius (freeradius) server working
>> (for 802.1x).
> You would probably be better off asking freeradius.
>> What would be the best way to change the freeradius configuration in
>> such a way,
>> that we can disable NTLMv1 again.
>> The radius server is used for WLAN (802.1x) and for VPN.
>> How insecure is NTLMv1 ?
> Have you ever heard of 'wannacry' ? or to put it another way 'VERY
> insecure'
> Rowland

More information about the samba mailing list