[Samba] freeradius + NTLM + samba AD 4.5.x

Rowland Penny rpenny at samba.org
Mon Mar 26 20:57:57 UTC 2018

On Mon, 26 Mar 2018 22:38:20 +0200
Kacper Wirski via samba <samba at lists.samba.org> wrote:

> Ok, I finally could try it out, and it seems to actually work, but
> You need samba 4.7 on all machines, not only AD, but also server with 
> freeradius. I didn't get a chance to test it locally, that is samba
> AD + freeradius on the same server.
> Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't
> work (got simple "nt_status_wrong_password")
> but: 4.7.6 AD and 4.7.1 samba + freeradius works just fine. It's
> clearly visible in logs.
> While using "ntlm auth = yes" I was getting in audit log 
> Authentication_passwordType = NTLMv1, but with ntlm auth = 
> ntlmv2-and-mschap2-only audit log shows Authentication_passwordType
> as "MSCHAP2"
> Not sure what's the case, maybe only starting with samba 4.7
> ntlm_auth can send correct flag?

From 4.7.0, the default for 'ntlm auth' changed from 'no' to
'ntlmv2-only', but two new values were created as well,
'mschapv2-and-ntlmv2-only' and 'disabled'. The former now allows
MSCHAPv2 without NTLMv1, the later disables NTLMv1 entirely.


More information about the samba mailing list