Web lists-archives.com

Re: [Samba] freeradius + NTLM + samba AD 4.5.x




It is an issue that I myself would also like to solve.
I found multiple threads in samba and freeradius mailing lists. It seems that every couple of months there is question like this either here on FR mailing list and all point down to the same issue, that is: freeradius uses ntlm_auth (even when using winbind with newer freeradius versions, it also in the end uses ntlm_auth). And since mschapv2 is needed for eap-peap, and it has to use ntlmv1. The only solution that I read about, but not actually tested is in this old thread:
https://lists.samba.org/archive/samba/2012-March/166496.html

I'm not sure if it works, or is there some other workaround. As far as I understand there is a special "flag" that can be send with freeradius, that will force ntlmv1-mschpav2 response from AD DC even if ntlmv1 is overall disabled, that is how supposedly Microsoft solved it with their ad/nps implementation..

Maybe someone here wil have better advice?

Regards,
Kacper Wirski
W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze:
On Mon, 26 Mar 2018 14:06:24 +0200
"Dr. Peer-Joachim Koch via samba" <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

we have updated our samba AD domain from 4.4.x to 4.5.x.

The release notes for 4.5.0 included  "NTLMv1 authentication disabled
by default".

So we had to enable it to get our radius (freeradius) server working
(for 802.1x).

You would probably be better off asking freeradius.

What would be the best way to change the freeradius configuration in
such a way,

that we can disable NTLMv1 again.

The radius server is used for WLAN (802.1x) and for VPN.

How insecure is NTLMv1 ?

Have you ever heard of 'wannacry' ? or to put it another way 'VERY
insecure'

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba