[Samba] ODP: Re: freeradius + NTLM + samba AD 4.5.x

k.wirski k.wirski at babkamedica.pl
Tue Mar 27 07:36:42 UTC 2018

ok, tested it, and it works.

so to summarize:
on samba ad 4.7.x  in smb.conf "ntlm auth" is set to "mschapv2-and-ntlmv2-only"
fr + samba domain member (4.6 and 4.7) in mods-available/mschap you have to add to ntlm_auth --allow-mschapv2 to the whole string OR just use winbind method, which sets correct flag without explicitly adding it.

with those settings ntlmv1 is blocked except for mschapv2, and it's nicely visible in samba auth_audit log.

I also tried password change with ntlm_auth (for expired password at logon via FR) and it works fine too, with added --allow-mschapv2.

I completely missed ntlm_auth option --allow-mschapv2!
Thank You for pointing it out.


<div>-------- Oryginalna wiadomość --------</div><div>Od: Kacper Wirski via samba <samba at lists.samba.org> </div><div>Data:03.27.2018  7:48  (GMT+01:00) </div><div>Do: samba at lists.samba.org </div><div>Temat: Re: [Samba] freeradius + NTLM + samba AD 4.5.x </div><div>
</div>Can you please clarify "--allow-mschapv2" option? Where should this 
option be placed in the ntlm_auth string?

Something like

ntlm_auth --allow-mschapv2 --request-nt-key 

> Because you missed the --allow-mschapv2 option to ntlm_auth that sets
> the flag the new winbind method also uses.   The winbind method avoids
> the fork()/exec() of ntlm_auth and uses libwbclient instead, setting
> the right flag at the same time.
> In short, MSCHAPv2 is still NTLMv1 under the hood, and so bad, but just
> as Microsoft allows this 'for MSCHAPv2 only' so does Samba, provided
> the flag is set and the configuration permits it server-side.
> Finally, I'm sorry it took so many years for the flag to be passed
> though and honoured, this shouldn't have been so painful.
> Andrew Bartlett

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list