ntlm_auth and Server 2008 R2 issues
We are having the same issue as noted here: http://lists.freeradius.org/pipermail/freeradius-users/2009-November/msg0066... I am guessing there is no way to use LDAP for MSCHAP authentication? I have read other posts on the list that have said it won't work (which kind of makes sense to me). However, it sure would be nice to side step Samba on this issue. We are not doing group checking at this point, just authentication. Currently running FreeRADIUS 2.0.3. Any suggestions/comments will be appreciated. I guess my next e-mail will be to the Samba mailing list.... Thanks, Walter
Walter Gould wrote:
We are having the same issue as noted here: http://lists.freeradius.org/pipermail/freeradius-users/2009-November/msg0066...
See also https://bugzilla.samba.org/show_bug.cgi?id=6563
I am guessing there is no way to use LDAP for MSCHAP authentication?
Exactly.
I have read other posts on the list that have said it won't work (which kind of makes sense to me). However, it sure would be nice to side step Samba on this issue.
It's impossible. (for now)
We are not doing group checking at this point, just authentication. Currently running FreeRADIUS 2.0.3. Any suggestions/comments will be appreciated. I guess my next e-mail will be to the Samba mailing list....
Install FreeRADIUS 2.1.8, and possibly Samba 3.4.3 Alan DeKok.
Alan DeKok wrote:
Walter Gould wrote:
We are having the same issue as noted here: http://lists.freeradius.org/pipermail/freeradius-users/2009-November/msg0066...
Yes, I saw that one...
I have read other posts on the list that have said it won't work (which kind of makes sense to me). However, it sure would be nice to side step Samba on this issue.
It's impossible. (for now)
for now...? Can you expand?
We are not doing group checking at this point, just authentication. Currently running FreeRADIUS 2.0.3. Any suggestions/comments will be appreciated. I guess my next e-mail will be to the Samba mailing list....
Install FreeRADIUS 2.1.8, and possibly Samba 3.4.3
Are there thought that these two may work? Thanks for the help, Walter
Alan DeKok wrote:
have read other posts on the list that have said it won't work (which kind of makes sense to me). However, it sure would be nice to side step Samba on this issue.
It's impossible. (for now)
For now? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782
Johan Meiring wrote:
Alan DeKok wrote:
have read other posts on the list that have said it won't work (which kind of makes sense to me). However, it sure would be nice to side step Samba on this issue.
It's impossible. (for now)
For now?
Samba 4 will be a full member of an AD domain. It will have access to the NT hashed passwords. It will (presumably) be able to export them via LDAP, like a real LDAP server. Alan DeKok.
Hi,
Samba 4 will be a full member of an AD domain. It will have access to the NT hashed passwords. It will (presumably) be able to export them via LDAP, like a real LDAP server.
oooh! yippee! anyway, regarding initial issue.... samba 3.4.3 might fix the issue but it must also be ntoed that microsoft implemented a new security thing for NTLM Authentication in Win 7 and server 2008 R2 - perhaps the initial poster is becoming unstuck because of a policy on the server ? eg http://technet.microsoft.com/en-us/library/dd560653%28WS.10%29.aspx (why do i feel dirty for posting a technet URL? ;-)) alan
Alan Buxey wrote:
Hi,
Samba 4 will be a full member of an AD domain. It will have access to the NT hashed passwords. It will (presumably) be able to export them via LDAP, like a real LDAP server.
oooh! yippee!
So help me out here - what exactly does that mean? And, how will it help us?
anyway, regarding initial issue.... samba 3.4.3 might fix the issue but it must also be ntoed that microsoft implemented a new security thing for NTLM Authentication in Win 7 and server 2008 R2 - perhaps the initial poster is becoming unstuck because of a policy on the server ?
eg http://technet.microsoft.com/en-us/library/dd560653%28WS.10%29.aspx
(why do i feel dirty for posting a technet URL? ;-))
Thanks for posting this Alan.. I will run this by our AD admin. Maybe (hopefully), it is a server policy that is screwing us. Walter
participants (4)
-
Alan Buxey -
Alan DeKok -
Johan Meiring -
Walter Gould