[Samba] freeradius + NTLM + samba AD 4.5.x
Dr. Peer-Joachim Koch
pkoch at bgc-jena.mpg.de
Mon Mar 26 13:55:13 UTC 2018
I agree. For 802.1x-wlan we need mschapv2,eap-peap,...
However, interesting link. A secure setup of samba AD & freeradius
might be something for a couple of people ...
Bye,
Peer
On 26.03.2018 15:27, Kacper Wirski via samba wrote:
> It is an issue that I myself would also like to solve.
> I found multiple threads in samba and freeradius mailing lists. It
> seems that every couple of months there is question like this either
> here on FR mailing list and all point down to the same issue, that is:
> freeradius uses ntlm_auth (even when using winbind with newer
> freeradius versions, it also in the end uses ntlm_auth). And since
> mschapv2 is needed for eap-peap, and it has to use ntlmv1.
> The only solution that I read about, but not actually tested is in
> this old thread:
> https://lists.samba.org/archive/samba/2012-March/166496.html
>
> I'm not sure if it works, or is there some other workaround. As far as
> I understand there is a special "flag" that can be send with
> freeradius, that will force ntlmv1-mschpav2 response from AD DC even
> if ntlmv1 is overall disabled, that is how supposedly Microsoft solved
> it with their ad/nps implementation..
>
> Maybe someone here wil have better advice?
>
> Regards,
> Kacper Wirski
> W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze:
>> On Mon, 26 Mar 2018 14:06:24 +0200
>> "Dr. Peer-Joachim Koch via samba" <samba at lists.samba.org> wrote:
>>
>>> Hi,
>>>
>>> we have updated our samba AD domain from 4.4.x to 4.5.x.
>>>
>>> The release notes for 4.5.0 included "NTLMv1 authentication disabled
>>> by default".
>>>
>>> So we had to enable it to get our radius (freeradius) server working
>>> (for 802.1x).
>>>
>> You would probably be better off asking freeradius.
>>
>>> What would be the best way to change the freeradius configuration in
>>> such a way,
>>>
>>> that we can disable NTLMv1 again.
>>>
>>> The radius server is used for WLAN (802.1x) and for VPN.
>>>
>>> How insecure is NTLMv1 ?
>>>
>> Have you ever heard of 'wannacry' ? or to put it another way 'VERY
>> insecure'
>>
>> Rowland
>>
>>
>
>
--
Mit freundlichen Grüßen,
Peer-Joachim Koch
________________________________________________________
Max-Planck-Institut für Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10 Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705
More information about the samba
mailing list