Authenticating against Win2k8r2 without ntlm_auth
schilling
schilling2006 at gmail.com
Mon Apr 25 15:44:33 CEST 2011
Could we extend the AD schema with another accessible ntPassword hash,
and thus use LDAP against AD for PEAP/MSCHAP?
Schilling
On Sun, Apr 24, 2011 at 4:33 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 04/24/2011 12:48 AM, Thomas Smith wrote:
>
>> While Samba 3.5 and Likewise 6 fixed the problems authenticating
>> against Win2k8r2, Likewise removed support for Samba/Winbind in their
>> 6.x series product (they included full support for Samba/Winbind in
>> their 5.x series product)--they now use their own libraries to provide
>> "winbind" functionality. The result of this is that the Samba-included
>> ntlm_auth no longer works (and Likewise doesn't provide a comparable
>> replacement)--since my FreeRADIUS install was using ntlm_auth for AD
>> authentication and authorization, it is no longer working.
>
> If you're using Samba/ntlm_auth, you're probably doing PEAP/MSCHAP, in which
> case you have precisely one option - continuing to use Samba/ntlm_auth.
>
> Neither kerberos nor LDAP against AD (nor any other method) can be used to
> process MSCHAP authentications.
>
> If Likewise are going to replace bits of the Samba stack, they should
> provide compatible bits.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list