definitive info on authenticating to AD via NTLMv2

Phil Mayers p.mayers at imperial.ac.uk
Tue Mar 26 19:30:53 CET 2013


On 26/03/2013 18:03, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> o.k. many thanks for this phil. I'll probably have a bash at this but, as I've done it before, just setting up radiator as something that just says yes/no sounds a lot easier :-))
>
> RADIATOR on Windows can use <AuthBY LSA> which is a direct access to AD method and doesnt use SAMBA
> stuff at all - you'd have the same problem with RADIATOR on Linux.

In the interests of clarity: The LSA isn't magic; it uses pretty much 
the same RPCs as Samba does. There's nothing hidden or special, and no 
"direct access".

The problem here is that Samba doesn't have any way to set 
MSV1_0_ALLOW_MSVCHAPV2 when calling the relevant RPC. This is a trivial, 
one-bit flag.

NPS and Radiator are obviously setting that flag when talking to the 
RPC. We (because we're reliant on Samba) are not. Fix Samba, and we will 
magically work - no effort required.


More information about the Freeradius-Users mailing list