On 01/02/2024 20:16, Dean Guenther wrote:
I turned on debugging on the Samba server and was able to see that the problem was that Samba was being sent an NTLMv1 request from freeradius, which by default is not accepted in Samba now. ... Then I saw somewhere that somebody mentioned to put the following global option in the Samba smb.conf file on the client, the freeradius server:
ntlm auth = mschapv2-and-ntlmv2-only
This is specifically mentioned in the mods-enabled/mschap configuration, right above the ntlm_auth command line, so that people see they need to do it.
And sure enough, its working. I assume the freeradius server is now sending NTLMv2 requests and everything is happy.
No, it's sending NTLMv1, which is a direct conversion from MSCHAPv2. AD (and Samba) finally disabled it by default because it's insecure. You have to re-enable it because this is the only way that MSCHAPv2 auth can work. Good to hear you got it working anyway. -- Matthew