Hello, Thank You, I just got similar response on samba mailing list. I can't believe I missed this --allow-mschapv2 option for ntlm_auth, and it works. I couldn't test yet if it works for the pass change too, but that's another story and I will test it later on. W dniu 27.03.2018 o 03:52, Isaac Boukris pisze:
On Tue, Mar 27, 2018 at 2:36 AM, Kacper Wirski <kacper.wirski@gmail.com> wrote:
Hello,
I have freeradius 3.0.14 integrated with samba AD DC using ntlm_auth.
As of samba 4.7 version, theere is now option to explicitly allow only mschapv2 and disable all other ntlmv1 via smb.conf option
ntlm auth = mschpav2-and-ntlmv2-only
I've done today some tests, and I have mixed results, and I'm not sure who the "culprit" is.
So let's start with what works:
on the AD i set
ntlm auth = mschpav2-and-ntlmv2-only
on the freeradius (with samba 4.6.2 as domain member) in
mods-enabled/mschap using winbind method i have put according to the guide in wiki.freeradius.org/active-directory-direct-via-winbind
winbind_username = "%{mschap:User-Name}" winbind_domain = "*WINDOWSDOMAIN*"
With this setup it works as expected, that is freeradius is able to authenticate via eap-peap AD users, in samba audit_log i clearly see that it's explicitly mschpav2 being used instead of more general "ntlmv1".
What boggles my mind is that when i change in mods-enabled/mschap from "winbind" method to traditional "ntlm auth = /path/to/ntlm_auth etc....." I'm getting access-rejects. In samba audit log i see that request is coming using ntlmv1, and with the above smb.conf ntlmv1 (en general) is blocked.
As soon, as in smb.conf i change to "ntlm auth = yes" I have everything working, but at the obvious loss of security.
I read in this mailing list (I think), that this winbind authentication method also in the end uses ntlm_auth, but there is clearly difference.
So my question is: is this something on samba-side that makes actual difference between those two methods, or freeradius for whatever reason doesn't send "proper" mschap2 flag that will be recognized by the samba AD server?
mschap-v2 is ntlm-v1, the only way a DC (win or samba) can make a difference between the two (and apply a different policy), is if the server tells it so by setting a flag. When using libwbclient integration FR sets this flag, when using ntlm_auth you can add "--allow-mschapv2" to the cmd to get the same.
Also a follow up question: is it possible to set "winbind" method for password change in the same way it's used for authentication?
I think currently no. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html