Remove with_ntdomain_hack in rlm_mschap?
Phil Mayers
p.mayers at imperial.ac.uk
Thu Oct 27 14:21:33 CEST 2011
On 27/10/11 08:15, Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>> Could we set it to default to 'yes' so it can be explicitly disabled, but is on by default?
>
> Change the source code so that the default is "yes".
>
> Delete the configuration from raddb/modules/mschap
>
> People can still change it, but the default should work better.
That will work.
I'm a little cautious about the naming - "hack" implies it is somehow a
bad thing to do, and I would prefer to see it named "strip_ntdomain" -
but small changes are better than big I guess.
Interestingly (to me) I just pulled the .gz files for the -users mailing
list archives for 2010 and 2011. In the whole archive, only twice does
the error "should we have enabled with_ntdomain_hack?" appear; likewise
only 4 times does an MSCHAP auth occur with "DOMAIN\user" as opposed to
288 for just "user".
This implies to me very few people are ticking the "Use my windows
credentials..." option under the PEAP/MSCHAP settings.
More information about the Freeradius-Devel
mailing list