Could we extend the AD schema with another accessible ntPassword hash, and thus use LDAP against AD for PEAP/MSCHAP?
Schilling On Sun, Apr 24, 2011 at 4:33 AM, Phil Mayers <[email protected]> wrote: > On 04/24/2011 12:48 AM, Thomas Smith wrote: > >> While Samba 3.5 and Likewise 6 fixed the problems authenticating >> against Win2k8r2, Likewise removed support for Samba/Winbind in their >> 6.x series product (they included full support for Samba/Winbind in >> their 5.x series product)--they now use their own libraries to provide >> "winbind" functionality. The result of this is that the Samba-included >> ntlm_auth no longer works (and Likewise doesn't provide a comparable >> replacement)--since my FreeRADIUS install was using ntlm_auth for AD >> authentication and authorization, it is no longer working. > > If you're using Samba/ntlm_auth, you're probably doing PEAP/MSCHAP, in which > case you have precisely one option - continuing to use Samba/ntlm_auth. > > Neither kerberos nor LDAP against AD (nor any other method) can be used to > process MSCHAP authentications. > > If Likewise are going to replace bits of the Samba stack, they should > provide compatible bits. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
