Re: [Samba] freeradius + NTLM + samba AD 4.5.x
- Date: Mon, 26 Mar 2018 15:55:13 +0200
- From: "Dr. Peer-Joachim Koch via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] freeradius + NTLM + samba AD 4.5.x
I agree. For 802.1x-wlan we need mschapv2,eap-peap,...
However, interesting link. A secure setup of samba AD & freeradius
might be something for a couple of people ...
On 26.03.2018 15:27, Kacper Wirski via samba wrote:
It is an issue that I myself would also like to solve.
I found multiple threads in samba and freeradius mailing lists. It
seems that every couple of months there is question like this either
here on FR mailing list and all point down to the same issue, that is:
freeradius uses ntlm_auth (even when using winbind with newer
freeradius versions, it also in the end uses ntlm_auth). And since
mschapv2 is needed for eap-peap, and it has to use ntlmv1.
The only solution that I read about, but not actually tested is in
this old thread:
I'm not sure if it works, or is there some other workaround. As far as
I understand there is a special "flag" that can be send with
freeradius, that will force ntlmv1-mschpav2 response from AD DC even
if ntlmv1 is overall disabled, that is how supposedly Microsoft solved
it with their ad/nps implementation..
Maybe someone here wil have better advice?
W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze:
On Mon, 26 Mar 2018 14:06:24 +0200
"Dr. Peer-Joachim Koch via samba" <samba@xxxxxxxxxxxxxxx> wrote:
we have updated our samba AD domain from 4.4.x to 4.5.x.
The release notes for 4.5.0 included "NTLMv1 authentication disabled
So we had to enable it to get our radius (freeradius) server working
You would probably be better off asking freeradius.
What would be the best way to change the freeradius configuration in
such a way,
that we can disable NTLMv1 again.
The radius server is used for WLAN (802.1x) and for VPN.
How insecure is NTLMv1 ?
Have you ever heard of 'wannacry' ? or to put it another way 'VERY
Mit freundlichen Grüßen,
Max-Planck-Institut für Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10 Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705
To unsubscribe from this list go to the following URL and read the