definitive info on authenticating to AD via NTLMv2

[Alex Sharaz]

Phew!
o.k. many thanks for this phil. I'll probably have a bash at this but, as I've done it before, just setting up radiator as something that just says yes/no sounds a lot easier :-))
Rgds
Alex

On 26 Mar 2013, at 15:27, Phil Mayers <p.mayers at IMPERIAL.AC.UK> wrote:

> On 26/03/2013 15:09, Phil Mayers wrote:
>> On 26/03/2013 15:00, Phil Mayers wrote:
>> 
>>> You should ask on the Samba lists - if a windows domain member can do
>>> it, there must be a newer API/RPC which Samba could implement.
>> 
>> In fact, a couple of minutes with google gives me this thread:
>> 
>> https://lists.samba.org/archive/samba/2012-March/166440.html
>> 
>> There is a magic flag that Samba needs to set on the RPC. It's unclear
>> from the thread if that was ever patched into Samba, but if it was, it
>> was after March 2012, so you'd need at least version after that. I will
>> see if I can find if it was implemented and when.
>> 
> 
> It doesn't look like this ever went in - there's no sign of the MSV1_0_ALLOW_MSVCHAPV2 flag in the latest Samba3 or Samba4 sources except in header def. files and flag/debug output.
> 
> As Andrew Bartlett pointed out, if you allow any MSCHAPv2 (NTLMv1) login you're effectively not enforcing NTLMv2, but I suppose you could argue the TLS surrounding PEAP make it "ok".
> 
> If you want this working you'll need to download the Samba source and make the patch described in the thread - in ./source3/utils/ntlm_auth.c find the "contact_winbind_auth_crap" function, and add:
> 
> MSV1_0_ALLOW_MSVCHAPV2
> 
> ...to the "request.data.auth_crap.logon_parameters" flags.
> 
> You might want to re-(re)-raise this on the Samba lists. It seems like it would be pretty easy to have a "--allow-mschapv2" argument to ntlm_auth which sets this flag conditionally, and avoids the "we shouldn't set it all the time" issue.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html