Re: [Samba] Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?
Il 03/03/2012 08:04, Andrew Bartlett ha scritto: I've recently setup a Squeeze box with FR and samba. Have had to use backports repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave troubles. Upgrading to 3.5.11 solved. The big issue here is that MSCHAPv2 is not NTLMv2. It is only a little more secure than NTLM. There is a flag in logon_parameters that the FR runs ntlm_auth to obtain NT key. So, IIUC, it should do an NTLMv2 auth in the last step. Am I wrong? BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?
On Sat, 2012-03-03 at 12:16 +0100, NdK wrote: Il 03/03/2012 08:04, Andrew Bartlett ha scritto: I've recently setup a Squeeze box with FR and samba. Have had to use backports repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave troubles. Upgrading to 3.5.11 solved. The big issue here is that MSCHAPv2 is not NTLMv2. It is only a little more secure than NTLM. There is a flag in logon_parameters that the FR runs ntlm_auth to obtain NT key. So, IIUC, it should do an NTLMv2 auth in the last step. Am I wrong? MSCHAPv2 is a derivation of NTLM, not NTLMv2. FreeRadius sends the (effective) challenge (based on client and server chosen values, and salt), and the NT response. ntlm_auth returns the user session key to allow FreeRADIUS's client (the VPN endpoint etc) to encrypt the session. There is no way to 'upgrade' that to NTLMv2, as NTLMv2 is a different cryptosystem on input and output. What you can however do is set a flag telling the DC 'pretend this was NTLMv2 for the purposes of the NTLMv2 only rule'. We need to work out if this the right thing to do. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?
Il 01/03/2012 22:09, Glenn Machin ha scritto: I am using freeradius2 which then calls ntlm_auth passing the nt-response and challenge generated as part of the peap mschapv2 exchange. However it does not seem to want to work. The version of samba I am using is samba3x-3.5.10. I've recently setup a Squeeze box with FR and samba. Have had to use backports repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave troubles. Upgrading to 3.5.11 solved. BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?
On Fri, 2012-03-02 at 15:08 +0100, NdK wrote: Il 01/03/2012 22:09, Glenn Machin ha scritto: I am using freeradius2 which then calls ntlm_auth passing the nt-response and challenge generated as part of the peap mschapv2 exchange. However it does not seem to want to work. The version of samba I am using is samba3x-3.5.10. I've recently setup a Squeeze box with FR and samba. Have had to use backports repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave troubles. Upgrading to 3.5.11 solved. The big issue here is that MSCHAPv2 is not NTLMv2. It is only a little more secure than NTLM. There is a flag in logon_parameters that the domain member can set (and which Samba should set) that indicates that this particular authentication should be regarded as NTLMv2 however. we need to confirm it should be set in this situation. (This is the same logon_parameters that carries the 'allow machine account authentication' flag). I dislike the 'lie', but I'm very happy to review such a patch, I just keep forgetting to add the handling for this myself. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?
Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 domain controller, where the policy is set to only allow ntlmv2. I am using freeradius2 which then calls ntlm_auth passing the nt-response and challenge generated as part of the peap mschapv2 exchange. However it does not seem to want to work. The version of samba I am using is samba3x-3.5.10. Glenn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba