Disabling ntlmv1 usage in FR 3.0.12
... try again Hi, I've built a couple of 3.0.12 (ish) FR servers that I use as our outward facing ORPS servers. York users authenticate against these 2 when visiting other eduroam sites. in smb.conf I've got .... ntlm auth = no lanman auth = no client ntlmv2 auth = yes winbind max domain connections = 1024 restrict anonymous = 2 and in /etc/freeradius/mods-enabled/mschap I've got # An alternative to using ntlm_auth is to connect to the # winbind daemon directly for authentication. This option # is likely to be faster and may be useful on busy systems, # but is less well tested. # # Using this option requires libwbclient from Samba 4.2.1 # or later to be installed. Make sure that ntlm_auth above is # commented out. # winbind_username = "%{Stripped-User-Name}" winbind_domain = "ITS.YORK.AC.UK" ... and auths work quite happily Our systems people are always grumbling about our FR servers being the only boxes that use NTLMv1. Will the above config keep them happy and stop these servers from using it? Rgds Alex
On Wed, May 04, 2016 at 02:56:56PM +0100, Alex Sharaz wrote:
Our systems people are always grumbling about our FR servers being the only boxes that use NTLMv1. Will the above config keep them happy and stop these servers from using it?
Not possible; MSCHAPv2 depends on it. So they may as well get used to it. In the latest FR (using wbclient) the correct flag is passed to Samba/Windows so that it should force NTLMv1 auth, even if they've disabled NTLMv1 on the AD servers. In the past that would just break your wireless auth. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
o.k thanks for that ..... guess I'll start pushing EAP-TLS then :-)) A On 4 May 2016 at 15:10, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, May 04, 2016 at 02:56:56PM +0100, Alex Sharaz wrote:
Our systems people are always grumbling about our FR servers being the only boxes that use NTLMv1. Will the above config keep them happy and stop these servers from using it?
Not possible; MSCHAPv2 depends on it. So they may as well get used to it.
In the latest FR (using wbclient) the correct flag is passed to Samba/Windows so that it should force NTLMv1 auth, even if they've disabled NTLMv1 on the AD servers. In the past that would just break your wireless auth.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, May 04, 2016 at 02:56:56PM +0100, Alex Sharaz wrote:
# An alternative to using ntlm_auth is to connect to the # winbind daemon directly for authentication. This option # is likely to be faster and may be useful on busy systems, # but is less well tested. # # Using this option requires libwbclient from Samba 4.2.1 # or later to be installed. Make sure that ntlm_auth above is # commented out. # winbind_username = "%{Stripped-User-Name}" winbind_domain = "ITS.YORK.AC.UK"
... and auths work quite happily
...but this is good to hear :) Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (2)
-
Alex Sharaz -
Matthew Newton