NTLMv1 security issue

Alan DeKok aland at deployingradius.com
Fri Jan 18 15:17:22 CET 2019

On Jan 18, 2019, at 4:52 AM, Roberto Ricci <robertoricci1 at msn.com> wrote:
> I'm trying to set up a FreeRADIUS server for authentication against Active Directory. I followed the guide on deployingradius.com. In order to make everything work I have to set “ntlm auth = yes” in my smb.conf. This should enable NTLMv1 protocol that is well known to be broken. I also know that there is the possibility to set “ntlm auth = mschapv2-and-ntlmv2-only” but that’s not supported on my currently running SAMBA version. So these are my questions:
> - What are the risks that I’m taking if I leave “ntlm auth = yes” on my SAMBA server?

  People can use ntlm_auth to talk to Samba.  ntlm_auth is insecure, so it's best to avoid it if you can.

> - How can I avoid “ntlm auth = yes” without upgrading SAMBA?

  Use one Samba server for "public" access.  i.e. people in your local network.  Use a different Samba server for FreeRADIUS.  And lock the second one down so that it only talks to the first Samba server && FreeRADIUS.

> - If I decide to upgrade SAMBA and set “ntlm auth = mschapv2-and-ntlmv2-only” can I rest easy or I’m still being vulnerable in some way?

  It's a little better, but plain MS-CHAPv2 is still somewhat insecure.

   Alan DeKok.

More information about the Freeradius-Users mailing list