[Samba] freeradius + NTLM + samba AD 4.5.x

[Kacper Wirski]

Ok, I finally could try it out, and it seems to actually work, but You 
need samba 4.7 on all machines, not only AD, but also server with 
freeradius. I didn't get a chance to test it locally, that is samba AD + 
freeradius on the same server.

Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work 
(got simple "nt_status_wrong_password")

but: 4.7.6 AD and 4.7.1 samba + freeradius works just fine. It's clearly 
visible in logs.

While using "ntlm auth = yes" I was getting in audit log 
Authentication_passwordType = NTLMv1, but with ntlm auth = 
ntlmv2-and-mschap2-only audit log shows Authentication_passwordType as 
"MSCHAP2"

Not sure what's the case, maybe only starting with samba 4.7 ntlm_auth 
can send correct flag?

Hope that helps.


W dniu 26.03.2018 o 22:16, Jonathan Hunter via samba pisze:
> On 26 March 2018 at 14:31, Kacper Wirski via samba <samba at lists.samba.org>
> wrote:
>
>> Also I just facepalmed, as I double checked smb.conf right after sending
>> mail, and in samba 4.7 there are new options available for "ntlm auth", as
>> stated in docs:
>>
>> |mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises
>> that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool).
>> [...]
>> I'll test it out later today and give some feedback if needed.
>>
> I tried exactly this a few days ago, and couldn't get it working.
> Admittedly, I didn't spend too long on it, but I changed 'ntlm auth = yes'
> to 'ntlm auth = mschapv2-and-ntlmv2-only' but freeradius then didn't
> authenticate me..
>
> Do let me know how it goes for you, I also thought that this setting would
> be much better for me..
>
> Alternatively.. if there is a way of setting 'ntlm auth' on a per-IP basis,
> then I could only enable it for the freeradius server. I wonder if I can
> add 'include = /usr/local/samba/etc/smb.conf.%I' and then include 'ntlm
> auth = yes' in a smb.conf just for the freeradius server.. I will report
> back!
>