On 14/07/11 08:45, Johan Meiring wrote:
On 2011/07/13 06:51 PM, Phil Mayers wrote:
If you are using Samba as your domain controllers, then you have access to the SAM and can extract the LM/NT hash from whatever backend you use.
So you can just feed that info straight to FreeRADIUS. No need to use ntlm_auth / samba membership - just dump the NT hashes somewhere FreeRADIUS can get at them, or if you're using LDAP, point FreeRADIUS at that LDAP server and make sure it can read the ntPassword attribute.
This is preferable to using ntlm_auth in fact.
OK...
So the ntlm_auth "hack" is just because a Microsoft Domain
Point of clarity: It's not a hack. It's the same things windows does - this is how IAS/NPS authenticates MS-CHAP. That's what the RPC call is for, and they are core, documented Microsoft authenticator APIs.
Controller/LDAP refuses to share the ntPassword attribute with anyone that does not look like Microsoft?
Yes
Hopefully Samba4 changes that as it should have a copy of the AD database!
Perhaps. Personally I'm doubtful it will be useful for that many people. Think about it: the argument goes as follows: 1. Samba 3 & ntlm_auth are too hard to set up / maintain 2. Therefore we'll install Samba 4, make it a domain controller so it can replicate the SAM, and that will be much easier Not a convincing argument, I feel. Even if you can convince your AD admins to *permit* you to promote a Samba 4 to a DC role, I don't see how it'll be any less hassle to run than a Samba 3 in a server role. There are a small number of sites who may be able to use this route, but for complete "ease of use", there's no ideal solution.