Phew! o.k. many thanks for this phil. I'll probably have a bash at this but, as I've done it before, just setting up radiator as something that just says yes/no sounds a lot easier :-)) Rgds Alex
On 26 Mar 2013, at 15:27, Phil Mayers <p.may...@imperial.ac.uk> wrote: > On 26/03/2013 15:09, Phil Mayers wrote: >> On 26/03/2013 15:00, Phil Mayers wrote: >> >>> You should ask on the Samba lists - if a windows domain member can do >>> it, there must be a newer API/RPC which Samba could implement. >> >> In fact, a couple of minutes with google gives me this thread: >> >> https://lists.samba.org/archive/samba/2012-March/166440.html >> >> There is a magic flag that Samba needs to set on the RPC. It's unclear >> from the thread if that was ever patched into Samba, but if it was, it >> was after March 2012, so you'd need at least version after that. I will >> see if I can find if it was implemented and when. >> > > It doesn't look like this ever went in - there's no sign of the > MSV1_0_ALLOW_MSVCHAPV2 flag in the latest Samba3 or Samba4 sources except in > header def. files and flag/debug output. > > As Andrew Bartlett pointed out, if you allow any MSCHAPv2 (NTLMv1) login > you're effectively not enforcing NTLMv2, but I suppose you could argue the > TLS surrounding PEAP make it "ok". > > If you want this working you'll need to download the Samba source and make > the patch described in the thread - in ./source3/utils/ntlm_auth.c find the > "contact_winbind_auth_crap" function, and add: > > MSV1_0_ALLOW_MSVCHAPV2 > > ...to the "request.data.auth_crap.logon_parameters" flags. > > You might want to re-(re)-raise this on the Samba lists. It seems like it > would be pretty easy to have a "--allow-mschapv2" argument to ntlm_auth which > sets this flag conditionally, and avoids the "we shouldn't set it all the > time" issue. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html