definitive info on authenticating to AD via NTLMv2
Phil Mayers
p.mayers at imperial.ac.uk
Tue Mar 26 16:27:41 CET 2013
On 26/03/2013 15:09, Phil Mayers wrote:
> On 26/03/2013 15:00, Phil Mayers wrote:
>
>> You should ask on the Samba lists - if a windows domain member can do
>> it, there must be a newer API/RPC which Samba could implement.
>
> In fact, a couple of minutes with google gives me this thread:
>
> https://lists.samba.org/archive/samba/2012-March/166440.html
>
> There is a magic flag that Samba needs to set on the RPC. It's unclear
> from the thread if that was ever patched into Samba, but if it was, it
> was after March 2012, so you'd need at least version after that. I will
> see if I can find if it was implemented and when.
>
It doesn't look like this ever went in - there's no sign of the
MSV1_0_ALLOW_MSVCHAPV2 flag in the latest Samba3 or Samba4 sources
except in header def. files and flag/debug output.
As Andrew Bartlett pointed out, if you allow any MSCHAPv2 (NTLMv1) login
you're effectively not enforcing NTLMv2, but I suppose you could argue
the TLS surrounding PEAP make it "ok".
If you want this working you'll need to download the Samba source and
make the patch described in the thread - in ./source3/utils/ntlm_auth.c
find the "contact_winbind_auth_crap" function, and add:
MSV1_0_ALLOW_MSVCHAPV2
...to the "request.data.auth_crap.logon_parameters" flags.
You might want to re-(re)-raise this on the Samba lists. It seems like
it would be pretty easy to have a "--allow-mschapv2" argument to
ntlm_auth which sets this flag conditionally, and avoids the "we
shouldn't set it all the time" issue.
More information about the Freeradius-Users
mailing list