samba - Apr 2016 - samba 4.4.2 freeradius authentication with ntlm_auth

Hi;
Samba team say "It is recommended that administrators set these additional
options, if compatible with their network environment:"


ntlm auth = no


I use samba with FreeRadius.


I configure "ntlm_ auth = no"  but freeradius users not connected to
wifi.


I use ntlm_auth in FreeRadius side..


best regards

El 15/04/16 a les 13:06, barış tombul ha escrit:
> Hi;
> Samba team say "It is recommended that administrators set these
additional
> options, if compatible with their network environment:"
>
>
> ntlm auth = no
>
>
> I use samba with FreeRadius.
>
>
> I configure "ntlm_ auth = no"  but freeradius users not connected
to wifi.
>
>
> I use ntlm_auth in FreeRadius side..
>

I found this
http://freeradius.1045715.n5.nabble.com/NTLMv2-with-FreeRADIUS-td5726394.html

and this

http://freeradius.1045715.n5.nabble.com/definitive-info-on-authenticating-to-AD-via-NTLMv2-td5719249.html

"The problem here is that Samba doesn't have any way to set
MSV1_0_ALLOW_MSVCHAPV2 when calling the relevant RPC. This is a trivial,
one-bit flag."

I don't know if this "trivial one-bit flag" made into samba or not
:-(


Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es/
Tel. +34 93 5883004 (Ext.3010)  Fax +34 93 5883007

El 15/04/16 a les 13:45, Luca Olivetti ha escrit:
> El 15/04/16 a les 13:06, barış tombul ha escrit:
>> Hi;
>> Samba team say "It is recommended that administrators set these
>> additional
>> options, if compatible with their network environment:"
>>
>>
>> ntlm auth = no
>>
>>
>> I use samba with FreeRadius.
>>
>>
>> I configure "ntlm_ auth = no"  but freeradius users not
connected to
>> wifi.
>>
>>
>> I use ntlm_auth in FreeRadius side..
>>
>
>
> I found this
>
http://freeradius.1045715.n5.nabble.com/NTLMv2-with-FreeRADIUS-td5726394.html
>
>
> and this
>
>
http://freeradius.1045715.n5.nabble.com/definitive-info-on-authenticating-to-AD-via-NTLMv2-td5719249.html
>
>
> "The problem here is that Samba doesn't have any way to set
> MSV1_0_ALLOW_MSVCHAPV2 when calling the relevant RPC. This is a trivial,
> one-bit flag."
>
> I don't know if this "trivial one-bit flag" made into samba
or not :-(
I checked the 4.4.1 sources and, no, it's not there.

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es/
Tel. +34 93 5883004 (Ext.3010)  Fax +34 93 5883007

> On Apr 15, 2016, at 7:45 , Luca Olivetti <luca at wetron.es> wrote:
> 
> El 15/04/16 a les 13:06, barış tombul ha escrit:
>> Hi;
>> Samba team say "It is recommended that administrators set these
additional
>> options, if compatible with their network environment:"
>> 
>> 
>> ntlm auth = no
>> 
> 
> "The problem here is that Samba doesn't have any way to set
> MSV1_0_ALLOW_MSVCHAPV2 when calling the relevant RPC. This is a trivial,
> one-bit flag."
> 
> I don't know if this "trivial one-bit flag" made into samba
or not :-(


I’ve also been reading the same posts since Tuesday, trying to figure out what
is the actual exposure when running a (patched) AD and (patched) winbind.

It seems to come down to one question.

Assuming ntlm_auth sending NTLMv1 and that someone was able to intercept traffic
between winbindd and Active-Directory, how secure is the encryption?
Are we only relying on the hashing of the password? 
Or is there a more secure type of encryption between winbind and
Active-Directory which prevents collecting traffic and then getting the
passwords out using something like a rainbow table, as the badlock website seems
to imply?

Does anyone know the answer to that one? 

Regards,
--
Louis Munro

On Fri, 2016-04-15 at 14:06 +0300, barış tombul wrote:
> Hi;
> Samba team say "It is recommended that administrators set these
> additional
> options, if compatible with their network environment:"
> 
> 
> ntlm auth = no
> 
> 
> I use samba with FreeRadius.
> 
> 
> I configure "ntlm_ auth = no"  but freeradius users not connected
to
> wifi.
> 
> 
> I use ntlm_auth in FreeRadius side..
Yes, this really, really sucks.  MSCHAPv2 is NTLM, not NTLMv2 based. 
 This is despite NTLMv2 being around when they 'designed' this
mechanism.  Sadly no attempt has been made to somehow get an MSCHAPv3
in that uses NTLMv2.

On Windows, setting a special flag allows this horrible insecure
mechanism to work on networks that otherwise only allow NTLMv2.  Samba
does not honour that flag, but I guess I'm going to need to add a
'ntlm_auth = only_for_mschapv2' setting.

In short, MSCHAPv2 protects the network perimeter, yet has worse
security then you would dare to use even on a well-trusted network. 

I realise it is often over TLS, but as with another of our CVEs, we
know few clients check certificates, so this isn't any help.

I've been in presentations where they said they could crack it in 24
hours and $100 of could-compute time!

I don't know of a good solution here.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

> On Apr 15, 2016, at 15:06 , Andrew Bartlett <abartlet at samba.org>
wrote:
> 
> 
> Yes, this really, really sucks.  MSCHAPv2 is NTLM, not NTLMv2 based. 
> This is despite NTLMv2 being around when they 'designed' this
> mechanism.  Sadly no attempt has been made to somehow get an MSCHAPv3
> in that uses NTLMv2.
> 
> On Windows, setting a special flag allows this horrible insecure
> mechanism to work on networks that otherwise only allow NTLMv2.  Samba
> does not honour that flag, but I guess I'm going to need to add a
> 'ntlm_auth = only_for_mschapv2' setting.
> 
> In short, MSCHAPv2 protects the network perimeter, yet has worse
> security then you would dare to use even on a well-trusted network. 
> 
> I realise it is often over TLS, but as with another of our CVEs, we
> know few clients check certificates, so this isn't any help.
> 
> I've been in presentations where they said they could crack it in 24
> hours and $100 of could-compute time!
> 
> I don't know of a good solution here.
> 
Hi Andrew,

Just to make sure I understand this thoroughly and that there is no ambiguity:

I knew that MSCHAPv2 is easily broken these days. 
I also realize that in the case of FreeRADIUS the MSCHAPv2 authentication
terminates at the the radius server, inside a TLS tunnel.

The question for me then is how secure is the ntlmv1 going from FreeRADIUS (via
winbind) to the Active Directory server?
I am a bit afraid of the answer to be honest.

Should we start investing in IPsec for that part of the authentication?

Thank you for your help,
--
Louis Munro