problem with radtest and freeradius 3.0.26

Matthew Newton mcn at
Thu Feb 1 20:29:55 UTC 2024

On 01/02/2024 20:16, Dean Guenther wrote:
> I turned on debugging on the Samba server and was able to see that the
> problem was that Samba was being sent an NTLMv1 request from freeradius,
> which by default is not accepted in Samba now.
 > Then I saw somewhere that somebody mentioned to put the
 > following global option in the Samba
 > smb.conf file on the client, the freeradius server:
 >           ntlm auth = mschapv2-and-ntlmv2-only

This is specifically mentioned in the mods-enabled/mschap configuration, 
right above the ntlm_auth command line, so that people see they need to 
do it.

> And sure enough, its working. I assume the freeradius server is now sending
> NTLMv2 requests and everything is happy.

No, it's sending NTLMv1, which is a direct conversion from MSCHAPv2.

AD (and Samba) finally disabled it by default because it's insecure. You 
have to re-enable it because this is the only way that MSCHAPv2 auth can 

Good to hear you got it working anyway.


More information about the Freeradius-Users mailing list