Disabling ntlmv1 usage in FR 3.0.12

Alex Sharaz alex.sharaz at york.ac.uk
Wed May 4 15:56:56 CEST 2016

... try again

I've built a couple of 3.0.12 (ish) FR servers that I use as our outward
facing ORPS servers. York users authenticate against these 2 when visiting
other eduroam sites.
in smb.conf I've got

    ntlm auth = no
    lanman auth = no
    client ntlmv2  auth = yes
    winbind max domain connections = 1024
    restrict anonymous = 2

and in /etc/freeradius/mods-enabled/mschap I've got

      # An alternative to using ntlm_auth is to connect to the
        # winbind daemon directly for authentication. This option
        # is likely to be faster and may be useful on busy systems,
        # but is less well tested.
        # Using this option requires libwbclient from Samba 4.2.1
        # or later to be installed. Make sure that ntlm_auth above is
        # commented out.
        winbind_username = "%{Stripped-User-Name}"
        winbind_domain = "ITS.YORK.AC.UK"

... and auths work quite happily

Our systems  people are always grumbling about our FR servers being the
only boxes that use  NTLMv1. Will the above config keep them happy and
stop  these servers from using it?


More information about the Freeradius-Users mailing list