Re: [Samba] freeradius + NTLM + samba AD 4.5.x
- Date: Mon, 26 Mar 2018 15:27:02 +0200
- From: Kacper Wirski via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] freeradius + NTLM + samba AD 4.5.x
It is an issue that I myself would also like to solve.
I found multiple threads in samba and freeradius mailing lists. It seems
that every couple of months there is question like this either here on
FR mailing list and all point down to the same issue, that is:
freeradius uses ntlm_auth (even when using winbind with newer freeradius
versions, it also in the end uses ntlm_auth). And since mschapv2 is
needed for eap-peap, and it has to use ntlmv1.
The only solution that I read about, but not actually tested is in this
I'm not sure if it works, or is there some other workaround. As far as I
understand there is a special "flag" that can be send with freeradius,
that will force ntlmv1-mschpav2 response from AD DC even if ntlmv1 is
overall disabled, that is how supposedly Microsoft solved it with their
Maybe someone here wil have better advice?
W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze:
On Mon, 26 Mar 2018 14:06:24 +0200
"Dr. Peer-Joachim Koch via samba" <samba@xxxxxxxxxxxxxxx> wrote:
we have updated our samba AD domain from 4.4.x to 4.5.x.
The release notes for 4.5.0 included "NTLMv1 authentication disabled
So we had to enable it to get our radius (freeradius) server working
You would probably be better off asking freeradius.
What would be the best way to change the freeradius configuration in
such a way,
that we can disable NTLMv1 again.
The radius server is used for WLAN (802.1x) and for VPN.
How insecure is NTLMv1 ?
Have you ever heard of 'wannacry' ? or to put it another way 'VERY
To unsubscribe from this list go to the following URL and read the