[Samba] Fwd: ntlm_auth and freeradius
Tim ODriscoll
tim.odriscoll at lambrookschool.co.uk
Tue Apr 4 08:09:57 UTC 2023
> You said earlier that you have set ntlm auth = mschapv2-and-ntlmv2-only
Yes, I found that here:
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
> This means to reject NTLMv1, which MSCHAPv2 is cryptographically, unless the client makes special pleading that it used MSCHAPv2 with it's client.
> This is related to the missing ntlm_auth option --allow-mschapv2
I've got that option in my ntlm_auth command:
(21) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=lambrook --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
So, why when I use --allow-mschapv2 is the DC telling me it's rejecting the request because it's NTLMv1? Have I missed a setting somewhere?
Thank you,
Tim
More information about the samba
mailing list