Web lists-archives.com

Re: [Samba] freeradius + NTLM + samba AD 4.5.x

Can you please clarify "--allow-mschapv2" option? Where should this option be placed in the ntlm_auth string?

Something like

ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name} --domain=DOMAIN--challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"?

Because you missed the --allow-mschapv2 option to ntlm_auth that sets
the flag the new winbind method also uses.   The winbind method avoids
the fork()/exec() of ntlm_auth and uses libwbclient instead, setting
the right flag at the same time.

In short, MSCHAPv2 is still NTLMv1 under the hood, and so bad, but just
as Microsoft allows this 'for MSCHAPv2 only' so does Samba, provided
the flag is set and the configuration permits it server-side.

Finally, I'm sorry it took so many years for the flag to be passed
though and honoured, this shouldn't have been so painful.

Andrew Bartlett

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba