[Samba] freeradius + NTLM + samba AD 4.5.x
Kacper Wirski
k.wirski at babkamedica.pl
Tue Mar 27 05:48:50 UTC 2018
Can you please clarify "--allow-mschapv2" option? Where should this
option be placed in the ntlm_auth string?
Something like
ntlm_auth --allow-mschapv2 --request-nt-key
--username=%{mschap:User-Name}
--domain=DOMAIN--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"?
> Because you missed the --allow-mschapv2 option to ntlm_auth that sets
> the flag the new winbind method also uses. The winbind method avoids
> the fork()/exec() of ntlm_auth and uses libwbclient instead, setting
> the right flag at the same time.
>
> In short, MSCHAPv2 is still NTLMv1 under the hood, and so bad, but just
> as Microsoft allows this 'for MSCHAPv2 only' so does Samba, provided
> the flag is set and the configuration permits it server-side.
>
> Finally, I'm sorry it took so many years for the flag to be passed
> though and honoured, this shouldn't have been so painful.
>
> Andrew Bartlett
More information about the samba
mailing list