samba 4.7 AD and freeradius ntlm_auth/winbind

Kacper Wirski kacper.wirski at gmail.com
Tue Mar 27 01:36:35 CEST 2018


Hello,

I have freeradius 3.0.14 integrated with samba AD DC using ntlm_auth.

As of samba 4.7 version, theere is now option to explicitly allow only 
mschapv2 and disable all other ntlmv1 via smb.conf option

ntlm auth = mschpav2-and-ntlmv2-only


I've done today some tests, and I have mixed results, and I'm not sure 
who the "culprit" is.

So let's start with what works:

on the AD i set

ntlm auth = mschpav2-and-ntlmv2-only

on the freeradius (with samba 4.6.2 as domain member) in

mods-enabled/mschap using winbind method i have put according to the 
guide in wiki.freeradius.org/active-directory-direct-via-winbind

winbind_username = "%{mschap:User-Name}"
winbind_domain = "*WINDOWSDOMAIN*"

With this setup it works as expected, that is freeradius is able to 
authenticate via eap-peap AD users, in samba audit_log i clearly see 
that it's explicitly mschpav2 being used instead of more general "ntlmv1".


What boggles my mind is that when i change in mods-enabled/mschap from 
"winbind" method to traditional "ntlm auth = /path/to/ntlm_auth 
etc....." I'm getting access-rejects. In samba audit log i see that 
request is coming using ntlmv1, and with the above smb.conf ntlmv1 (en 
general) is blocked.

As soon, as in smb.conf i change to "ntlm auth = yes" I have everything 
working, but at the obvious loss of security.

I read in this mailing list (I think), that this winbind authentication 
method also in the end uses ntlm_auth, but there is clearly difference.

So my question is: is this something on samba-side that makes actual 
difference between those two methods, or freeradius for whatever reason 
doesn't send "proper" mschap2 flag that will be recognized by the samba 
AD server?

Also a follow up question: is it possible to set "winbind" method for 
password change in the same way it's used for authentication?

Regards,

Kacper



More information about the Freeradius-Users mailing list