samba 4.7 AD and freeradius ntlm_auth/winbind
Kacper Wirski
kacper.wirski at gmail.com
Tue Mar 27 01:36:35 CEST 2018
Hello,
I have freeradius 3.0.14 integrated with samba AD DC using ntlm_auth.
As of samba 4.7 version, theere is now option to explicitly allow only
mschapv2 and disable all other ntlmv1 via smb.conf option
ntlm auth = mschpav2-and-ntlmv2-only
I've done today some tests, and I have mixed results, and I'm not sure
who the "culprit" is.
So let's start with what works:
on the AD i set
ntlm auth = mschpav2-and-ntlmv2-only
on the freeradius (with samba 4.6.2 as domain member) in
mods-enabled/mschap using winbind method i have put according to the
guide in wiki.freeradius.org/active-directory-direct-via-winbind
winbind_username = "%{mschap:User-Name}"
winbind_domain = "*WINDOWSDOMAIN*"
With this setup it works as expected, that is freeradius is able to
authenticate via eap-peap AD users, in samba audit_log i clearly see
that it's explicitly mschpav2 being used instead of more general "ntlmv1".
What boggles my mind is that when i change in mods-enabled/mschap from
"winbind" method to traditional "ntlm auth = /path/to/ntlm_auth
etc....." I'm getting access-rejects. In samba audit log i see that
request is coming using ntlmv1, and with the above smb.conf ntlmv1 (en
general) is blocked.
As soon, as in smb.conf i change to "ntlm auth = yes" I have everything
working, but at the obvious loss of security.
I read in this mailing list (I think), that this winbind authentication
method also in the end uses ntlm_auth, but there is clearly difference.
So my question is: is this something on samba-side that makes actual
difference between those two methods, or freeradius for whatever reason
doesn't send "proper" mschap2 flag that will be recognized by the samba
AD server?
Also a follow up question: is it possible to set "winbind" method for
password change in the same way it's used for authentication?
Regards,
Kacper
More information about the Freeradius-Users
mailing list