definitive info on authenticating to AD via NTLMv2
Phil Mayers
p.mayers at imperial.ac.uk
Tue Mar 26 16:00:05 CET 2013
On 26/03/2013 14:21, Alex Sharaz wrote:
> Hi., I've been running ntlm_auth to authenticate our 802.1x users
> against AD for a number of months without problems…… until this
> morning when our Systems group tightened up auth requirements to only
> use NTLMv2. and my ntlm_auth module started failing
As Alan says - you're hosed. They will need to rollback the change if
you want Samba/ntlm_auth to continue working.
> All the web stuff I've found doesn;t seem to mention v2 at all. Back
> in the dim and distant past I got round the ntlm v2 issue when using
> OSC Radiator by proxying off auths to Radiator running on a windows
> machine bound to AD and using their AuthBy LSA authentication
> mechanism.
When you say "windows machine", do you mean "ordinary domain member" as
opposed to "domain controller"?
If so, this is interesting. It suggests that MSCHAP can still be checked
with NTLMv2 enforced, just not via whatever API Samba/ntlm_auth uses.
You should ask on the Samba lists - if a windows domain member can do
it, there must be a newer API/RPC which Samba could implement.
It is possible, though unlikely IMO, that one of the other ntlm_auth
modes, such as
--helper-protocol=ntlm-server-1
...use different RPCs, and may work. If you can, try and get a valid
challenge/response pair, and then drive ntlm_auth using the
ntlm-server-1 protocol (see "man ntlm_auth"). If that works, it would be
possible in theory to use a wrapper script. But IIRC, it's the same code
path, so Samba fixes will be needed.
The other "option" (yuck) is to run NPS (or Radiator) on a Windows
server, and proxy your MSCHAP to that. But if other RADIUS servers have
the ability to work with NTLMv2 enforced, it would be nice to get it
with FR too.
More information about the Freeradius-Users
mailing list