[Samba] Fwd: ntlm_auth and freeradius

Kees van Vloten keesvanvloten at gmail.com
Tue Apr 4 08:29:46 UTC 2023

Op 04-04-2023 om 10:09 schreef Tim ODriscoll:
> > You said earlier that you have set ntlm auth = mschapv2-and-ntlmv2-only
> Yes, I found that here:
> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
> > This means to reject NTLMv1, which MSCHAPv2  is cryptographically, unless the 
> client makes special pleading that it used MSCHAPv2 with it's client.
> > This is related  to the missing ntlm_auth option --allow-mschapv2
> I've got that option in my ntlm_auth command:
> (21) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key 
> --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 
> --domain=lambrook --challenge=%{%{mschap:Challenge}:-00} 
> --nt-response=%{%{mschap:NT-Response}:-00}:
> So, why when I use --allow-mschapv2 is the DC telling me it's 
> rejecting the request because it's NTLMv1? Have I missed a setting 
> somewhere?
> Thank you,
> Tim

There are more places where mschap is configured. Did you look at 
mods-enabled/eap or the inner-tunnel configuration?

More information about the samba mailing list