problem with radtest and freeradius 3.0.26
Matthew Newton
mcn at freeradius.org
Thu Feb 1 20:29:55 UTC 2024
On 01/02/2024 20:16, Dean Guenther wrote:
> I turned on debugging on the Samba server and was able to see that the
> problem was that Samba was being sent an NTLMv1 request from freeradius,
> which by default is not accepted in Samba now.
...
> Then I saw somewhere that somebody mentioned to put the
> following global option in the Samba
> smb.conf file on the client, the freeradius server:
>
> ntlm auth = mschapv2-and-ntlmv2-only
This is specifically mentioned in the mods-enabled/mschap configuration,
right above the ntlm_auth command line, so that people see they need to
do it.
> And sure enough, its working. I assume the freeradius server is now sending
> NTLMv2 requests and everything is happy.
No, it's sending NTLMv1, which is a direct conversion from MSCHAPv2.
AD (and Samba) finally disabled it by default because it's insecure. You
have to re-enable it because this is the only way that MSCHAPv2 auth can
work.
Good to hear you got it working anyway.
--
Matthew
More information about the Freeradius-Users
mailing list