Web lists-archives.com

Re: [Samba] freeradius + NTLM + samba AD 4.5.x

On Tue, 2018-03-27 at 01:22 +0200, Kacper Wirski via samba wrote:
> Hello,
> I've done some further testing, and I have to correct myself.
> I was (kind of obviously as I think about it) wrong about samba on the 
> freeradius server requiring v. 4.7. What makes all the difference is the 
> method used by mschap.

> What I can't test right now, if it will work with mchapv2 password change (if required), since freeradius relies directly on ntlm_auth there.
> My question on the other hand is this:
> - Why this "winbind" method works fine with "ntlm auth = mschpav2-and-ntlmv2-only" on the AD DC, but "ntlm_auth" doesn't? Winbind method supposedly also uses ntlm_auth in the end?

Because you missed the --allow-mschapv2 option to ntlm_auth that sets
the flag the new winbind method also uses.   The winbind method avoids
the fork()/exec() of ntlm_auth and uses libwbclient instead, setting
the right flag at the same time.

In short, MSCHAPv2 is still NTLMv1 under the hood, and so bad, but just
as Microsoft allows this 'for MSCHAPv2 only' so does Samba, provided
the flag is set and the configuration permits it server-side. 

Finally, I'm sorry it took so many years for the flag to be passed
though and honoured, this shouldn't have been so painful.

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba