[Samba] Fwd: ntlm_auth and freeradius

Tim ODriscoll tim.odriscoll at lambrookschool.co.uk
Tue Apr 4 08:09:57 UTC 2023


> You said earlier that you have set ntlm auth = mschapv2-and-ntlmv2-only

Yes, I found that here:
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory

> This means to reject NTLMv1, which MSCHAPv2  is cryptographically, unless the client makes special pleading that it used MSCHAPv2 with it's client.
> This is related  to the missing ntlm_auth option  --allow-mschapv2

I've got that option in my ntlm_auth command:
(21) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=lambrook --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:

So, why when I use --allow-mschapv2 is the DC telling me it's rejecting the request because it's NTLMv1? Have I missed a setting somewhere?

Thank you,
Tim


More information about the samba mailing list