[Samba] Fwd: ntlm_auth and freeradius
Kees van Vloten
keesvanvloten at gmail.com
Tue Apr 4 08:29:46 UTC 2023
Op 04-04-2023 om 10:09 schreef Tim ODriscoll:
> > You said earlier that you have set ntlm auth = mschapv2-and-ntlmv2-only
>
> Yes, I found that here:
> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>
> > This means to reject NTLMv1, which MSCHAPv2 is cryptographically, unless the
> client makes special pleading that it used MSCHAPv2 with it's client.
> > This is related to the missing ntlm_auth option --allow-mschapv2
>
> I've got that option in my ntlm_auth command:
> (21) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{mschap:User-Name}:-00} --allow-mschapv2
> --domain=lambrook --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
>
> So, why when I use --allow-mschapv2 is the DC telling me it's
> rejecting the request because it's NTLMv1? Have I missed a setting
> somewhere?
>
> Thank you,
> Tim
There are more places where mschap is configured. Did you look at
mods-enabled/eap or the inner-tunnel configuration?
More information about the samba
mailing list