[Samba] freeradius + NTLM + samba AD 4.5.x

Dr. Peer-Joachim Koch pkoch at bgc-jena.mpg.de
Mon Mar 26 13:55:13 UTC 2018

I agree. For 802.1x-wlan  we need mschapv2,eap-peap,...
However, interesting link. A  secure setup of samba AD & freeradius
might be something for a couple of people ...


On 26.03.2018 15:27, Kacper Wirski via samba wrote:
> It is an issue that I myself would also like to solve.
> I found multiple threads in samba and freeradius mailing lists. It 
> seems that every couple of months there is question like this either 
> here on FR mailing list and all point down to the same issue, that is:
> freeradius uses ntlm_auth (even when using winbind with newer 
> freeradius versions, it also in the end uses ntlm_auth). And since 
> mschapv2 is needed for eap-peap, and it has to use ntlmv1.
> The only solution that I read about, but not actually tested is in 
> this old thread:
> https://lists.samba.org/archive/samba/2012-March/166496.html
> I'm not sure if it works, or is there some other workaround. As far as 
> I understand there is a special "flag" that can be send with 
> freeradius, that will force ntlmv1-mschpav2 response from AD DC even 
> if ntlmv1 is overall disabled, that is how supposedly Microsoft solved 
> it with their ad/nps implementation..
> Maybe someone here wil have better advice?
> Regards,
> Kacper Wirski
> W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze:
>> On Mon, 26 Mar 2018 14:06:24 +0200
>> "Dr. Peer-Joachim Koch via samba" <samba at lists.samba.org> wrote:
>>> Hi,
>>> we have updated our samba AD domain from 4.4.x to 4.5.x.
>>> The release notes for 4.5.0 included  "NTLMv1 authentication disabled
>>> by default".
>>> So we had to enable it to get our radius (freeradius) server working
>>> (for 802.1x).
>> You would probably be better off asking freeradius.
>>> What would be the best way to change the freeradius configuration in
>>> such a way,
>>> that we can disable NTLMv1 again.
>>> The radius server is used for WLAN (802.1x) and for VPN.
>>> How insecure is NTLMv1 ?
>> Have you ever heard of 'wannacry' ? or to put it another way 'VERY
>> insecure'
>> Rowland

Mit freundlichen Grüßen,
     Peer-Joachim Koch

Max-Planck-Institut für Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
D-07745 Jena                 Telefax: ++49 3641 57-7705

More information about the samba mailing list