[Samba] freeradius + NTLM + samba AD 4.5.x

Kacper Wirski kacper.wirski at gmail.com
Mon Mar 26 13:31:46 UTC 2018

Also I just facepalmed, as I double checked smb.conf right after sending 
mail, and in samba 4.7 there are new options available for "ntlm auth", 
as stated in docs:

|mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises 
that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool).

So that is is I suppose that special "flag" that is used by Microsoft 
NPS/AD. I t h i n k I tested it before, but couldn't get it to work and 
had to go back to "ntlmv1-permitted".

I'll test it out later today and give some feedback if needed.


Kacper Wirski

W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze:
> On Mon, 26 Mar 2018 14:06:24 +0200
> "Dr. Peer-Joachim Koch via samba" <samba at lists.samba.org> wrote:
>> Hi,
>> we have updated our samba AD domain from 4.4.x to 4.5.x.
>> The release notes for 4.5.0 included  "NTLMv1 authentication disabled
>> by default".
>> So we had to enable it to get our radius (freeradius) server working
>> (for 802.1x).
> You would probably be better off asking freeradius.
>> What would be the best way to change the freeradius configuration in
>> such a way,
>> that we can disable NTLMv1 again.
>> The radius server is used for WLAN (802.1x) and for VPN.
>> How insecure is NTLMv1 ?
> Have you ever heard of 'wannacry' ? or to put it another way 'VERY
> insecure'
> Rowland

More information about the samba mailing list