Hello Andrew, Do you plan to release the patch for "ntlm auth mschapv2-only" option soon ? We need this on order to use freeradius in a "more safe" scenario than with "ntlm auth = yes" Best Regard, Lulzim KELMENI Direction des Systèmes d'Information Mairie de Saint-Ouen Le 08/06/2017 21:36, Andrew Bartlett via samba a écrit :>On Thu, 2017-06-08 at 15:30 +0200, L.P.H. van Belle via samba wrote:>>> hai, Please keep it mailing to the list, this way is shows up ofothers also. A workaround for disabling SMBv1, you can make your server less secure but thats not what i would do. Setting these to enable NTLM v1 again. lanman auth = yes> > NEVER set this. > >> ntlm auth = yes >> This enables NTLMv1. To be clear, this isn't related to SMBv1. This >is the only change required to re-enable MSCHAPv2. I plan to create a>ntlm auth = mschapv2-only option (indeed I have been given such a>patch) but I need to finish the test.> raw NTLMv2 aut > >> n networks.I'm menti> cause Samba folklore grows so quickly, and folks rapidlypaste in whatever setting they find, even if they reduce security dramatically. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ [1] Authentication Developer, Samba Team http://samba.org [2] Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba [3] Links: ------ [1] http://samba.org/~abartlet/ [2] http://samba.org [3] http://catalyst.net.nz/services/samba
I think something needs to happen on this. The guys at freeradius is pushing this back as a samba issue. I know of some commercial radius vendors who have done mschapv2 over DCERPC over tcp135 and higher ports rather than using ntlm. Not entirely sure of the mechanisms. Thanks Arnab On 17 Oct 2017 2:10 pm, "Lulzim KELMENI via samba" <samba at lists.samba.org> wrote:> > > Hello Andrew, > > Do you plan to release the patch for "ntlm auth > mschapv2-only" option soon ? > We need this on order to use freeradius in > a "more safe" scenario than with "ntlm auth = yes" > > Best > Regard, > > Lulzim KELMENI > Direction des Systèmes d'Information > Mairie de > Saint-Ouen > > Le 08/06/2017 21:36, Andrew Bartlett via samba a écrit : > > > > On Thu, 2017-06-08 at 15:30 +0200, L.P.H. van Belle via samba wrote: > > > > >> hai, Please keep it mailing to the list, this way is shows up of > others also. A workaround for disabling SMBv1, you can make your server > less secure but thats not what i would do. Setting these to enable NTLM > v1 again. lanman auth = yes > > > > NEVER set this. > > > >> ntlm auth = yes > > > > > This enables NTLMv1. To be clear, this isn't related to SMBv1. This > > > is the only change required to re-enable MSCHAPv2. I plan to create a > > > ntlm auth = mschapv2-only option (indeed I have been given such a > > > patch) but I need to finish the test. > > raw NTLMv2 aut > > > >> n networks. > I'm menti > > cause Samba folklore grows so quickly, and folks rapidly > paste in whatever setting they find, even if they reduce security > dramatically. Thanks, Andrew Bartlett -- Andrew Bartlett > http://samba.org/~abartlet/ [1] Authentication Developer, Samba Team > http://samba.org [2] Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba [3] > > > Links: > ------ > [1] > http://samba.org/~abartlet/ > [2] http://samba.org > [3] > http://catalyst.net.nz/services/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Tue, 17 Oct 2017 14:52:51 +0200 Lulzim KELMENI via samba <samba at lists.samba.org> wrote:> > > Hello Andrew, > > Do you plan to release the patch for "ntlm auth > mschapv2-only" option soon ? > We need this on order to use freeradius in > a "more safe" scenario than with "ntlm auth = yes" >He cannot release it, mainly because it has been released ;-) If you go here: https://wiki.samba.org/index.php/Samba_4.7_Features_added/changed#Parameter_changes You will find this: The 'ntlm auth' option default is renamed to 'ntlmv2-only', reflecting the previous behaviour. Two new values have been provided, 'mschapv2-and-ntlmv2-only' (allowing MSCHAPv2 while denying NTLMv1) and 'disabled', totally disabling NTLM authentication and password changes. So, it looks like you need to upgrade to Samba 4.7.0 Rowland
Thank you Rowland for pointing me to this part of release note that i have not read when 4.7 was released ! I will upgrade our test platform to 4.7 and test this. Best Regards, Lulzim KELMENI Direction des Systèmes d'Information Mairie de Saint-Ouen Le 17/10/2017 16:52, Rowland Penny a écrit :> On Tue, 17 Oct 2017 14:52:51 +0200 > LulzimKELMENI via samba <samba at lists.samba.org> wrote:> >> Hello Andrew, Doyou plan to release the patch for "ntlm auth = mschapv2-only" option soon ? We need this on order to use freeradius in a "more safe" scenario than with "ntlm auth = yes"> > He cannot release it, mainly because ithas been released ;-)> > If you go here: > >https://wiki.samba.org/index.php/Samba_4.7_Features_added/changed#Parameter_changes [1]> > You will find this: > > The 'ntlm auth' option default isrenamed to 'ntlmv2-only', reflecting> the previous behaviour. Two newvalues have been provided,> 'mschapv2-and-ntlmv2-only' (allowingMSCHAPv2 while denying NTLMv1) and> 'disabled', totally disabling NTLMauthentication and password changes.> > So, it looks like you need toupgrade to Samba 4.7.0> > RowlandLinks: ------ [1] https://wiki.samba.org/index.php/Samba_4.7_Features_added/changed#Parameter_changes