samba - Jan 2018 - NTLM, MSCHAPv2, squid & freeradius...

Currently (samba 4 NT-like domains) i use extensively NTLM auth in
freeradius and more mildly in squid, respectively with:

Freeradius (mschap module):
  ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=SANVITO
--username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"

squid3:
  auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--domain=SANVITO --require-membership-of="SANVITO\\domusers"


I'm using debian jessie, with Louis backport packages, eg:
 samba: 2:4.5.12+dfsg-2~bpo8+1
 squid3: 3.4.8-6+deb8u4
 freeradius: 2.2.5+dfsg-0.2+deb8u1


Two question.

a) i have to expect troubles? Eg, something changed between NT and AD
 mode that can breaks all the stuff?

b) there's some better way to integrate an AD domain with
 squid/freeradius?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Wed, 2018-01-10 at 17:10 +0100, Marco Gaiarin via samba
wrote:
> Currently (samba 4 NT-like domains) i use extensively NTLM auth in
> freeradius and more mildly in squid, respectively with:
> 
> Freeradius (mschap module):
>   ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=SANVITO
--username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
> 
> squid3:
>   auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=SANVITO
--require-membership-of="SANVITO\\domusers"
> 
> 
> I'm using debian jessie, with Louis backport packages, eg:
>  samba: 2:4.5.12+dfsg-2~bpo8+1
>  squid3: 3.4.8-6+deb8u4
>  freeradius: 2.2.5+dfsg-0.2+deb8u1
> 
> 
> Two question.
> 
> a) i have to expect troubles? Eg, something changed between NT and AD
>  mode that can breaks all the stuff?
> 
> b) there's some better way to integrate an AD domain with
>  squid/freeradius?
That all looks fine.  In newer Samba versions NTLMv1 (as used in
MSCHAPv2) is disabled by default, see the ntlm auth parameter for
details. 

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba