Example configuration that proxy PEAP MSCHAPv2 to an IAS server
Phil Mayers
p.mayers at imperial.ac.uk
Wed Aug 31 15:41:26 CEST 2011
On 30/08/11 22:53, Danner, Mearl wrote:
> Might be the LAN Manager authentication level on the 2K8 servers. It needs to be "downgraded". Probably to "Send LM and NTLM".
>
> Samba used to put a note about that in the documentation.
That's related to the LM/NT hashes used to authenticate an SMB
connection. It's unrelated to the use of ntlm_auth in helper mode.
There seems to be some confusion about this; just so people are clear,
in a working Samba/ntlm_auth configuration, the following is true:
1. Samba is joined into the domain, and thus has its own machine
account credentials
2. Winbind is running, and maintains a long-lived SMB connection to a
domain controller
3. That SMB connection is authenticated using the machine account
credentials; provided you have a recent enough version of Samba, it can
have all the security bells & whistles enabled
4. When "ntlm_auth" is called, it passes the mschap challenge/response
to winbind, which calls an RPC (over the SMB connection) on the domain
controller, which is basically:
SamLogonUserEx(username, mschap_challenge, mschap_response)
...and the domain controller says yes or no.
"LAN Manager authentication level" is largely irrelevant to all that.
More information about the Freeradius-Users
mailing list