[Samba] freeradius + NTLM + samba AD 4.5.x

Kacper Wirski k.wirski at babkamedica.pl
Tue Mar 27 05:48:50 UTC 2018

Can you please clarify "--allow-mschapv2" option? Where should this 
option be placed in the ntlm_auth string?

Something like

ntlm_auth --allow-mschapv2 --request-nt-key 

> Because you missed the --allow-mschapv2 option to ntlm_auth that sets
> the flag the new winbind method also uses.   The winbind method avoids
> the fork()/exec() of ntlm_auth and uses libwbclient instead, setting
> the right flag at the same time.
> In short, MSCHAPv2 is still NTLMv1 under the hood, and so bad, but just
> as Microsoft allows this 'for MSCHAPv2 only' so does Samba, provided
> the flag is set and the configuration permits it server-side.
> Finally, I'm sorry it took so many years for the flag to be passed
> though and honoured, this shouldn't have been so painful.
> Andrew Bartlett

More information about the samba mailing list