Alan DeKok wrote:
Phil Mayers <[EMAIL PROTECTED]> wrote:
I'm confused - I and many people are doing MS-CHAP to an AD domain with
samba3, winbind and the ntlm_auth helper - what are you referring to
that doesn't work that samba4 would change?
Yes, they're using the old-style NT4 logins. So MS-CHAP works.
Ah I see. I had read the message differently - though the posters
original question (and the subject line unhelpfully) was about CHAP his
subsequent query referenced another thread and mentioned MS-CHAP.
You're right that no current software can perform CHAP against AD except
IAS running on a domain controller against accounts with reversible
encryption enabled (see below).
Samba4 *may* allow pulling clear-text passwords from AD, in which
case CHAP will work, too.
Why would samba4 be any different that samba3 in that regard? I assume
we are talking about the same thing (samba as a member server with a
"real" microsoft PDC) in which case the code that would need adding
would be an API on the windows side - AD realms (in fact NT domains all
the way back to NT4 IIRC) can already store the password in "reversibly
encrypted" plaintext to support CHAP (only via IAS and only running on
the physical PDC) or Digest MD5 on HTTP.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
