Hello, I have freeradius 3.0.14 integrated with samba AD DC using ntlm_auth. As of samba 4.7 version, theere is now option to explicitly allow only mschapv2 and disable all other ntlmv1 via smb.conf option ntlm auth = mschpav2-and-ntlmv2-only I've done today some tests, and I have mixed results, and I'm not sure who the "culprit" is. So let's start with what works: on the AD i set ntlm auth = mschpav2-and-ntlmv2-only on the freeradius (with samba 4.6.2 as domain member) in mods-enabled/mschap using winbind method i have put according to the guide in wiki.freeradius.org/active-directory-direct-via-winbind winbind_username = "%{mschap:User-Name}" winbind_domain = "*WINDOWSDOMAIN*" With this setup it works as expected, that is freeradius is able to authenticate via eap-peap AD users, in samba audit_log i clearly see that it's explicitly mschpav2 being used instead of more general "ntlmv1". What boggles my mind is that when i change in mods-enabled/mschap from "winbind" method to traditional "ntlm auth = /path/to/ntlm_auth etc....." I'm getting access-rejects. In samba audit log i see that request is coming using ntlmv1, and with the above smb.conf ntlmv1 (en general) is blocked. As soon, as in smb.conf i change to "ntlm auth = yes" I have everything working, but at the obvious loss of security. I read in this mailing list (I think), that this winbind authentication method also in the end uses ntlm_auth, but there is clearly difference. So my question is: is this something on samba-side that makes actual difference between those two methods, or freeradius for whatever reason doesn't send "proper" mschap2 flag that will be recognized by the samba AD server? Also a follow up question: is it possible to set "winbind" method for password change in the same way it's used for authentication? Regards, Kacper