[Samba] freeradius + NTLM + samba AD 4.5.x
Kacper Wirski
kacper.wirski at gmail.com
Mon Mar 26 13:31:46 UTC 2018
Also I just facepalmed, as I double checked smb.conf right after sending
mail, and in samba 4.7 there are new options available for "ntlm auth",
as stated in docs:
|mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises
that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool).
So that is is I suppose that special "flag" that is used by Microsoft
NPS/AD. I t h i n k I tested it before, but couldn't get it to work and
had to go back to "ntlmv1-permitted".
I'll test it out later today and give some feedback if needed.
Regards,
Kacper Wirski
||
W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze:
> On Mon, 26 Mar 2018 14:06:24 +0200
> "Dr. Peer-Joachim Koch via samba" <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> we have updated our samba AD domain from 4.4.x to 4.5.x.
>>
>> The release notes for 4.5.0 included "NTLMv1 authentication disabled
>> by default".
>>
>> So we had to enable it to get our radius (freeradius) server working
>> (for 802.1x).
>>
> You would probably be better off asking freeradius.
>
>> What would be the best way to change the freeradius configuration in
>> such a way,
>>
>> that we can disable NTLMv1 again.
>>
>> The radius server is used for WLAN (802.1x) and for VPN.
>>
>> How insecure is NTLMv1 ?
>>
> Have you ever heard of 'wannacry' ? or to put it another way 'VERY
> insecure'
>
> Rowland
>
>
>
More information about the samba
mailing list