On Tue, 2012-03-06 at 19:52 -0700, Glenn Machin wrote: > Well I cannot provide proof that the Microsoft radius server is > setting the bit. However setting the MSV1_0_ALLOW_MSVCHAPV2 bit in > the request.data.auth_crap.logon_parameters of the > contact_winbind_auth_crap() function fixes the issue with ntlm_auth > not being able to authenticate mschapv2 to a W2008 DC where the > LMCompatibility level is set to 5 => " Clients use only NTLMv2 > authentication, and they use NTLMv2 session security if the server > supports it. Domain controller refuses LM and NTLM authentication > responses, but it accepts NTLMv2". > > ntlm_auth.c: > request.data.auth_crap.logon_parameters = > MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | > MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_MSVCHAPV2 ;
Thanks. I'll try and sort this out, and check if NTLM2 session security (NTLMSSP) also sets this. Shouldn't be too hard with a Windows member of Samba4. I'm sorry this has taken so many years. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
