> You said earlier that you have set ntlm auth = mschapv2-and-ntlmv2-onlyYes, I found that here: https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory> This means to reject NTLMv1, which MSCHAPv2 is cryptographically, unless the client makes special pleading that it used MSCHAPv2 with it's client. > This is related to the missing ntlm_auth option --allow-mschapv2I've got that option in my ntlm_auth command: (21) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=lambrook --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: So, why when I use --allow-mschapv2 is the DC telling me it's rejecting the request because it's NTLMv1? Have I missed a setting somewhere? Thank you, Tim
Op 04-04-2023 om 10:09 schreef Tim ODriscoll:> > You said earlier that you have set ntlm auth = mschapv2-and-ntlmv2-only > > Yes, I found that here: > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory > > > This means to reject NTLMv1, which MSCHAPv2 ?is cryptographically, unless the > client makes special pleading that it used MSCHAPv2 with it's client. > > This is related ?to the missing ntlm_auth option --allow-mschapv2 > > I've got that option in my ntlm_auth command: > (21) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key > --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 > --domain=lambrook --challenge=%{%{mschap:Challenge}:-00} > --nt-response=%{%{mschap:NT-Response}:-00}: > > So, why when I use --allow-mschapv2 is the DC telling me it's > rejecting the request because it's NTLMv1? Have I missed a setting > somewhere? > > Thank you, > TimThere are more places where mschap is configured. Did you look at mods-enabled/eap or the inner-tunnel configuration?
Dear All, Well, this is very embarrassing.... It seems that running 'smbcontrol all reload-config' isn't sufficient for reloading the ntlm config parameters. I tried restarting the whole samba service on the DC my FR box was authenticating against (systemctl restart sernet-samba-ad) and my test laptop is now connected to the network on the correct VLAN. I apologise for wasting everyone's time - now I'll get back to cleaning up all the config files and making sure BYOD still works etc. Thank you, Tim