NTLMv1 security issue

Roberto Ricci robertoricci1 at msn.com
Fri Jan 18 10:52:37 CET 2019

Good morning,

I'm trying to set up a FreeRADIUS server for authentication against Active Directory. I followed the guide on deployingradius.com. In order to make everything work I have to set “ntlm auth = yes” in my smb.conf. This should enable NTLMv1 protocol that is well known to be broken. I also know that there is the possibility to set “ntlm auth = mschapv2-and-ntlmv2-only” but that’s not supported on my currently running SAMBA version. So these are my questions:
- What are the risks that I’m taking if I leave “ntlm auth = yes” on my SAMBA server?
- How can I avoid “ntlm auth = yes” without upgrading SAMBA?
- If I decide to upgrade SAMBA and set “ntlm auth = mschapv2-and-ntlmv2-only” can I rest easy or I’m still being vulnerable in some way?

Thank you for your attention, have a great day.
Best regards

More information about the Freeradius-Users mailing list