[Samba] ODP: Re: freeradius + NTLM + samba AD 4.5.x
Rowland Penny
rpenny at samba.org
Tue Mar 27 08:06:57 UTC 2018
On Tue, 27 Mar 2018 09:36:42 +0200
"k.wirski via samba" <samba at lists.samba.org> wrote:
> ok, tested it, and it works.
>
> so to summarize:
> on samba ad 4.7.x in smb.conf "ntlm auth" is set to
> "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in
> mods-available/mschap you have to add to ntlm_auth --allow-mschapv2
> to the whole string OR just use winbind method, which sets correct
> flag without explicitly adding it.
Not sure it will work with 4.6 as it doesn't have the required
'mschapv2-and-ntlmv2-only' option for 'ntlm auth'
>
> with those settings ntlmv1 is blocked except for mschapv2, and it's
> nicely visible in samba auth_audit log.
>
> I also tried password change with ntlm_auth (for expired password at
> logon via FR) and it works fine too, with added --allow-mschapv2.
>
> I completely missed ntlm_auth option --allow-mschapv2!
> Thank You for pointing it out.
>
If you can let us know just what you changed to get it working, I will
put something on the Samba wiki.
Rowland
More information about the samba
mailing list