So what is the flag that should be set? From librpc/gen_ndr/netlogon.h
I see MSV1_0_ALLOW_MSVCHAPV2. Is that the flag that needs to be set?
I can't seem to find any documentation on that particular flag.
Glen
On 3/3/12 12:04 AM, Andrew Bartlett wrote:
On Fri, 2012-03-02 at 15:08 +0100, NdK wrote:
Il 01/03/2012 22:09, Glenn Machin ha scritto:
I am using freeradius2 which then calls ntlm_auth passing the
nt-response and challenge generated as part of the peap mschapv2
exchange. However it does not seem to want to work. The version of
samba I am using is samba3x-3.5.10.
I've recently setup a Squeeze box with FR and samba. Have had to use
"backports" repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave
troubles. Upgrading to 3.5.11 solved.
The big issue here is that MSCHAPv2 is not NTLMv2. It is only a little
more secure than NTLM. There is a flag in logon_parameters that the
domain member can set (and which Samba should set) that indicates that
this particular authentication should be regarded as NTLMv2 however. we
need to confirm it should be set in this situation. (This is the same
logon_parameters that carries the 'allow machine account authentication'
flag).
I dislike the 'lie', but I'm very happy to review such a patch, I just
keep forgetting to add the handling for this myself.
Andrew Bartlett
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
