Re: FW: [Samba] MSCHAPv2 microsoft client/linux/Active Directory
On Wed, Nov 05, 2003 at 07:21:50AM -0700, Ron Wahler wrote: > Agreed this would be nice and the only option at this point > Is to proxy the radius request to IAS. Or to 'fix' FreeRADIUS. :-) > Is there a link to read up on ntlm_auth ? There is a manpage, which is better in Samba 3.0.0pre1. Other than that, read the source in source/utils/ntlm_auth.c and my paper that I quoated at the start of this thread. http://hawkerc.net/staff/abartlet/comp3700 Andrew Barltett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: FW: [Samba] MSCHAPv2 microsoft client/linux/Active Directory
Agreed this would be nice and the only option at this point Is to proxy the radius request to IAS. Is there a link to read up on ntlm_auth ? Ron. > -Original Message- > From: Andrew Bartlett [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 04, 2003 3:33 PM > To: Ron Wahler > Cc: [EMAIL PROTECTED] > Subject: Re: FW: [Samba] MSCHAPv2 microsoft client/linux/Active Directory > > On Tue, Nov 04, 2003 at 08:04:07AM -0700, Ron Wahler wrote: > > > > > > > > The authentication request comes in over RADIUS to the linux box. > > I then need a way to authenticate to Active Directory with MS-CHAPv2 > > Passwords. > > I currently use LDAP binds to authenticate the user, but that does not > > Work with MS-CHAPv2. > > Your options are to either use the MS RADIUS server (IAS I think it is > called) or to help create a plugin from FreeRADIUS that calls > ntlm_auth. I don't think it could be really that hard... > > I want to see this work, so if there is any help I can provide (in > particular on how to use ntlm_auth) then just yell. The same applied > to any FreeRADIUS developers you manage to rope into this :-) > > Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: FW: [Samba] MSCHAPv2 microsoft client/linux/Active Directory
On Tue, Nov 04, 2003 at 08:04:07AM -0700, Ron Wahler wrote: > > > > The authentication request comes in over RADIUS to the linux box. > I then need a way to authenticate to Active Directory with MS-CHAPv2 > Passwords. > I currently use LDAP binds to authenticate the user, but that does not > Work with MS-CHAPv2. Your options are to either use the MS RADIUS server (IAS I think it is called) or to help create a plugin from FreeRADIUS that calls ntlm_auth. I don't think it could be really that hard... I want to see this work, so if there is any help I can provide (in particular on how to use ntlm_auth) then just yell. The same applied to any FreeRADIUS developers you manage to rope into this :-) Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] MSCHAPv2 microsoft client/linux/Active Directory
So the authentication path looks like this. Windows XP -> Access Point -> RADIUS -> LINUX/FreeRadius/samba -> (ldap) Active Directory Server. But I want to do this with MS-CHAPv2 password encryption not PAP. I have this working with TTLS/PAP. And want to do it with PEAP/mschap Ron. > -Original Message- > From: Ron Wahler > Sent: Tuesday, November 04, 2003 8:04 AM > To: [EMAIL PROTECTED] > Subject: FW: [Samba] MSCHAPv2 microsoft client/linux/Active Directory > > > > > The authentication request comes in over RADIUS to the linux box. > I then need a way to authenticate to Active Directory with MS-CHAPv2 > Passwords. > I currently use LDAP binds to authenticate the user, but that does not > Work with MS-CHAPv2. > > > > > -Original Message- > > From: Andrew Bartlett [mailto:[EMAIL PROTECTED] > > Sent: Friday, October 31, 2003 3:39 PM > > To: Ron Wahler > > Cc: [EMAIL PROTECTED] > > Subject: Re: FW: [Samba] MSCHAPv2 microsoft client/linux/Active > Directory > > > > On Sat, 2003-11-01 at 07:58, Ron Wahler wrote: > > > > > > I don't want to use a VPN to solve this one. > > > > So this is for dial-in only? > > > > > I am really wondering with (samba 3.x) when the linux box become > part of > > > The AD domain does it get a special privileges? > > > > It's machine trust account gains privileges to validate NTLM (and > > MSCHAP/MSCHAPv2) authentication attempts against the DC, as well as > any > > other rights you grant it. > > > > I have been implementing a system that allows pppd to authenticate > > against an NT (and AD) domain controller, using MSCHAP/MSCHAPv2. > > > > It will find a better home sometime, but my working copy is at: > > > > http://hawkerc.net/staff/abartlet/comp3700 > > > > It is a patch for pppd, to use Samba 3.0's winbind, and ntlm_auth to > > perform this authentication. > > > > Andrew Bartlett > > > > > > > > > > > > > Hi,i am not sure if i understand yor needs, but maybe this helps > > > > this links guide you to setup a pptp server an client for linux > > > > http://www.poptop.org/ > > > > http://pptpclient.sourceforge.net/ > > > > there are patches to use smbpasswd to auth > > > > users which are conect via pptpd > > > > and MSCHAPv2 with domain > > > > the pptp client should work for login in ras servers > > > > radius shuold work too ( radius auth to ldap should work ) > > > > good Luck > > > > > > -- > > Andrew Bartlett [EMAIL PROTECTED] > > Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] > > Student Network Administrator, Hawker College [EMAIL PROTECTED] > > http://samba.org http://build.samba.org http://hawkerc.net > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
FW: [Samba] MSCHAPv2 microsoft client/linux/Active Directory
The authentication request comes in over RADIUS to the linux box. I then need a way to authenticate to Active Directory with MS-CHAPv2 Passwords. I currently use LDAP binds to authenticate the user, but that does not Work with MS-CHAPv2. > -Original Message- > From: Andrew Bartlett [mailto:[EMAIL PROTECTED] > Sent: Friday, October 31, 2003 3:39 PM > To: Ron Wahler > Cc: [EMAIL PROTECTED] > Subject: Re: FW: [Samba] MSCHAPv2 microsoft client/linux/Active Directory > > On Sat, 2003-11-01 at 07:58, Ron Wahler wrote: > > > > I don't want to use a VPN to solve this one. > > So this is for dial-in only? > > > I am really wondering with (samba 3.x) when the linux box become part of > > The AD domain does it get a special privileges? > > It's machine trust account gains privileges to validate NTLM (and > MSCHAP/MSCHAPv2) authentication attempts against the DC, as well as any > other rights you grant it. > > I have been implementing a system that allows pppd to authenticate > against an NT (and AD) domain controller, using MSCHAP/MSCHAPv2. > > It will find a better home sometime, but my working copy is at: > > http://hawkerc.net/staff/abartlet/comp3700 > > It is a patch for pppd, to use Samba 3.0's winbind, and ntlm_auth to > perform this authentication. > > Andrew Bartlett > > > > > > > > > Hi,i am not sure if i understand yor needs, but maybe this helps > > > this links guide you to setup a pptp server an client for linux > > > http://www.poptop.org/ > > > http://pptpclient.sourceforge.net/ > > > there are patches to use smbpasswd to auth > > > users which are conect via pptpd > > > and MSCHAPv2 with domain > > > the pptp client should work for login in ras servers > > > radius shuold work too ( radius auth to ldap should work ) > > > good Luck > > > > -- > Andrew Bartlett [EMAIL PROTECTED] > Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] > Student Network Administrator, Hawker College [EMAIL PROTECTED] > http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: FW: [Samba] MSCHAPv2 microsoft client/linux/Active Directory
On Sat, 2003-11-01 at 07:58, Ron Wahler wrote: > > I don't want to use a VPN to solve this one. So this is for dial-in only? > I am really wondering with (samba 3.x) when the linux box become part of > The AD domain does it get a special privileges? It's machine trust account gains privileges to validate NTLM (and MSCHAP/MSCHAPv2) authentication attempts against the DC, as well as any other rights you grant it. I have been implementing a system that allows pppd to authenticate against an NT (and AD) domain controller, using MSCHAP/MSCHAPv2. It will find a better home sometime, but my working copy is at: http://hawkerc.net/staff/abartlet/comp3700 It is a patch for pppd, to use Samba 3.0's winbind, and ntlm_auth to perform this authentication. Andrew Bartlett > > > > > Hi,i am not sure if i understand yor needs, but maybe this helps > > this links guide you to setup a pptp server an client for linux > > http://www.poptop.org/ > > http://pptpclient.sourceforge.net/ > > there are patches to use smbpasswd to auth > > users which are conect via pptpd > > and MSCHAPv2 with domain > > the pptp client should work for login in ras servers > > radius shuold work too ( radius auth to ldap should work ) > > good Luck > > -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
FW: [Samba] MSCHAPv2 microsoft client/linux/Active Directory
I don't want to use a VPN to solve this one. I am really wondering with (samba 3.x) when the linux box become part of The AD domain does it get a special privileges? > > Hi,i am not sure if i understand yor needs, but maybe this helps > this links guide you to setup a pptp server an client for linux > http://www.poptop.org/ > http://pptpclient.sourceforge.net/ > there are patches to use smbpasswd to auth > users which are conect via pptpd > and MSCHAPv2 with domain > the pptp client should work for login in ras servers > radius shuold work too ( radius auth to ldap should work ) > good Luck > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] MSCHAPv2 microsoft client/linux/Active Directory
Hi,i am not sure if i understand yor needs, but maybe this helps this links guide you to setup a pptp server an client for linux http://www.poptop.org/ http://pptpclient.sourceforge.net/ there are patches to use smbpasswd to auth users which are conect via pptpd and MSCHAPv2 with domain the pptp client should work for login in ras servers radius shuold work too ( radius auth to ldap should work ) good Luck - Original Message - From: "Ron Wahler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 31, 2003 3:39 PM Subject: [Samba] MSCHAPv2 microsoft client/linux/Active Directory Hello all, I was not able to find much on this in the archives so I hope someone can help Me with this. Can samba 3.x help the authentication of a Microsoft client authenticating with MSCHAPv2 passwords to my linux box which we use to authenticate a user stored on a Microsoft Active Directory server. The authentication request comes in through RADIUS which I can convert to LDAP,but that only works with clear passwords to Active Directory. I still need to compete the MSCHAP challenge/response through RADIUS, Which freeRadius can help me with... maybe. If I use the msbpasswd command and Become a member of the domain will it give me any special privileges say with LDAP To allow mschap password authentication. The linux box only acts as an authentication Gateway, the users do not need linux accounts, I only wish to authenticate the users. How else could I authenticate the user besides LDAP. Has anyone else tried to do Something like this ? Any discussion would helpful. Thanks, Ron. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] MSCHAPv2 microsoft client/linux/Active Directory
Hello all, I was not able to find much on this in the archives so I hope someone can help Me with this. Can samba 3.x help the authentication of a Microsoft client authenticating with MSCHAPv2 passwords to my linux box which we use to authenticate a user stored on a Microsoft Active Directory server. The authentication request comes in through RADIUS which I can convert to LDAP,but that only works with clear passwords to Active Directory. I still need to compete the MSCHAP challenge/response through RADIUS, Which freeRadius can help me with... maybe. If I use the msbpasswd command and Become a member of the domain will it give me any special privileges say with LDAP To allow mschap password authentication. The linux box only acts as an authentication Gateway, the users do not need linux accounts, I only wish to authenticate the users. How else could I authenticate the user besides LDAP. Has anyone else tried to do Something like this ? Any discussion would helpful. Thanks, Ron. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
