definitive info on authenticating to AD via NTLMv2

Phil Mayers p.mayers at imperial.ac.uk
Tue Mar 26 16:27:41 CET 2013


On 26/03/2013 15:09, Phil Mayers wrote:
> On 26/03/2013 15:00, Phil Mayers wrote:
>
>> You should ask on the Samba lists - if a windows domain member can do
>> it, there must be a newer API/RPC which Samba could implement.
>
> In fact, a couple of minutes with google gives me this thread:
>
> https://lists.samba.org/archive/samba/2012-March/166440.html
>
> There is a magic flag that Samba needs to set on the RPC. It's unclear
> from the thread if that was ever patched into Samba, but if it was, it
> was after March 2012, so you'd need at least version after that. I will
> see if I can find if it was implemented and when.
>

It doesn't look like this ever went in - there's no sign of the 
MSV1_0_ALLOW_MSVCHAPV2 flag in the latest Samba3 or Samba4 sources 
except in header def. files and flag/debug output.

As Andrew Bartlett pointed out, if you allow any MSCHAPv2 (NTLMv1) login 
you're effectively not enforcing NTLMv2, but I suppose you could argue 
the TLS surrounding PEAP make it "ok".

If you want this working you'll need to download the Samba source and 
make the patch described in the thread - in ./source3/utils/ntlm_auth.c 
find the "contact_winbind_auth_crap" function, and add:

  MSV1_0_ALLOW_MSVCHAPV2

...to the "request.data.auth_crap.logon_parameters" flags.

You might want to re-(re)-raise this on the Samba lists. It seems like 
it would be pretty easy to have a "--allow-mschapv2" argument to 
ntlm_auth which sets this flag conditionally, and avoids the "we 
shouldn't set it all the time" issue.


More information about the Freeradius-Users mailing list