[Samba] ODP: Re: freeradius + NTLM + samba AD 4.5.x

Rowland Penny rpenny at samba.org
Tue Mar 27 08:06:57 UTC 2018

On Tue, 27 Mar 2018 09:36:42 +0200
"k.wirski via samba" <samba at lists.samba.org> wrote:

> ok, tested it, and it works.
> so to summarize:
> on samba ad 4.7.x  in smb.conf "ntlm auth" is set to
> "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in
> mods-available/mschap you have to add to ntlm_auth --allow-mschapv2
> to the whole string OR just use winbind method, which sets correct
> flag without explicitly adding it.

Not sure it will work with 4.6 as it doesn't have the required
'mschapv2-and-ntlmv2-only' option for 'ntlm auth'

> with those settings ntlmv1 is blocked except for mschapv2, and it's
> nicely visible in samba auth_audit log.
> I also tried password change with ntlm_auth (for expired password at
> logon via FR) and it works fine too, with added --allow-mschapv2.
> I completely missed ntlm_auth option --allow-mschapv2!
> Thank You for pointing it out.

If you can let us know just what you changed to get it working, I will
put something on the Samba wiki.


More information about the samba mailing list