Windows WPA

Michael Griego mgriego at utdallas.edu
Thu Dec 22 19:03:03 CET 2005 

In this case, if you happen to be using Samba as your PDC with an LDAP 
backend, you should actually be able to use rlm_ldap to lookup the NTLM 
hashes from the same LDAP tree that your Samba PDC uses.  Once you have 
those hashes, you can do MSCHAPv2 without having to use ntlm_auth.

--Mike

Phil Mayers wrote:
> Stefan Adams wrote:
>> Phil, thanks for the information!
>>
>> "Finally you need an AD domain (not NT4) to do that."
>>
>> Are you saying I actually need a Microsoft Server?  A Samba domain
>> control won't suffice?  Being that I have no (ZERO) Microsoft servers,
>> are my chances of doing machine authentication nil?
>
>
> Ah, that's a different kettle of fish entirely. In this specific case 
> I *believe* the RPC call allowing you to MSCHAP a machine account is a 
> newer RPC, so since Samba emulates NT4 you may still find that method 
> doesn't work.
>
> But, if you have a samba domain controller, you can in a supported 
> fashion extract the LM and NT hashes from your SAM, and give those to 
> FreeRadius directly, which can then do the MSCHAP without a callout to 
> the domain at *all*, which has obvious scalability and resilience value.
>
> How to do this depends on what SAM backend you're using, whether the 
> FreeRadius server runs on the same machine as the Samba DC or a 
> different one, and of course whether your site policy permits the 
> "risk" of moving the LM/NT hashes around, though I personally don't 
> buy the arguments about the risk involved there.
>
> If you're using an LDAP backend, see frequent posts about using LDAP 
> and ways of mapping the ntPassword LDAP attribute to the NT-Password 
> radius attribute.
>
> If you're using smbpasswd, then a "passwd" file module can be used in 
> FreeRadius, with the config as described in the default radiusd.conf 
> (I believe), subject to you obviously getting the file somewhere 
> FreeRadius can see it, and HUPing the server if/when it changes.
>
> Other SAMs (TDB, etc.) can probably be done similarly but that's 
> samba-specific.
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list