Authenticating against Win2k8r2 without ntlm_auth

Thomas Smith theitsmith at gmail.com
Mon Apr 25 20:33:56 CEST 2011


On Sun, Apr 24, 2011 at 1:33 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 04/24/2011 12:48 AM, Thomas Smith wrote:
>
>> While Samba 3.5 and Likewise 6 fixed the problems authenticating
>> against Win2k8r2, Likewise removed support for Samba/Winbind in their
>> 6.x series product (they included full support for Samba/Winbind in
>> their 5.x series product)--they now use their own libraries to provide
>> "winbind" functionality. The result of this is that the Samba-included
>> ntlm_auth no longer works (and Likewise doesn't provide a comparable
>> replacement)--since my FreeRADIUS install was using ntlm_auth for AD
>> authentication and authorization, it is no longer working.
>
> If you're using Samba/ntlm_auth, you're probably doing PEAP/MSCHAP, in which
> case you have precisely one option - continuing to use Samba/ntlm_auth.
>
> Neither kerberos nor LDAP against AD (nor any other method) can be used to
> process MSCHAP authentications.
>
> If Likewise are going to replace bits of the Samba stack, they should
> provide compatible bits.

Yeah, that's exactly what I've been doing. I was hoping to find
another method, but that doesn't sound promising.

I brought this to Likewise' attention as soon as I noticed the issue.
They are looking into it but haven't given me a time frame for a
"fix", or even if there will provide one.



More information about the Freeradius-Users mailing list