Hi,
we have updated our samba AD domain from 4.4.x to 4.5.x.
The release notes for 4.5.0 included "NTLMv1 authentication disabled by
default".
So we had to enable it to get our radius (freeradius) server working
(for 802.1x).
What would be the best way to change the freeradius configuration in
such a way,
that we can disable NTLMv1 again.
The radius server is used for WLAN (802.1x) and for VPN.
How insecure is NTLMv1 ?
--
Bye,
Peer
________________________________________________________
Max-Planck-Institut für Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10 Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705
On Mon, 26 Mar 2018 14:06:24 +0200 "Dr. Peer-Joachim Koch via samba" <samba at lists.samba.org> wrote:> Hi, > > we have updated our samba AD domain from 4.4.x to 4.5.x. > > The release notes for 4.5.0 included "NTLMv1 authentication disabled > by default". > > So we had to enable it to get our radius (freeradius) server working > (for 802.1x). >You would probably be better off asking freeradius.> What would be the best way to change the freeradius configuration in > such a way, > > that we can disable NTLMv1 again. > > The radius server is used for WLAN (802.1x) and for VPN. > > How insecure is NTLMv1 ? >Have you ever heard of 'wannacry' ? or to put it another way 'VERY insecure' Rowland
It is an issue that I myself would also like to solve. I found multiple threads in samba and freeradius mailing lists. It seems that every couple of months there is question like this either here on FR mailing list and all point down to the same issue, that is: freeradius uses ntlm_auth (even when using winbind with newer freeradius versions, it also in the end uses ntlm_auth). And since mschapv2 is needed for eap-peap, and it has to use ntlmv1. The only solution that I read about, but not actually tested is in this old thread: https://lists.samba.org/archive/samba/2012-March/166496.html I'm not sure if it works, or is there some other workaround. As far as I understand there is a special "flag" that can be send with freeradius, that will force ntlmv1-mschpav2 response from AD DC even if ntlmv1 is overall disabled, that is how supposedly Microsoft solved it with their ad/nps implementation.. Maybe someone here wil have better advice? Regards, Kacper Wirski W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze:> On Mon, 26 Mar 2018 14:06:24 +0200 > "Dr. Peer-Joachim Koch via samba" <samba at lists.samba.org> wrote: > >> Hi, >> >> we have updated our samba AD domain from 4.4.x to 4.5.x. >> >> The release notes for 4.5.0 included "NTLMv1 authentication disabled >> by default". >> >> So we had to enable it to get our radius (freeradius) server working >> (for 802.1x). >> > You would probably be better off asking freeradius. > >> What would be the best way to change the freeradius configuration in >> such a way, >> >> that we can disable NTLMv1 again. >> >> The radius server is used for WLAN (802.1x) and for VPN. >> >> How insecure is NTLMv1 ? >> > Have you ever heard of 'wannacry' ? or to put it another way 'VERY > insecure' > > Rowland > > >
Also I just facepalmed, as I double checked smb.conf right after sending mail, and in samba 4.7 there are new options available for "ntlm auth", as stated in docs: |mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool). So that is is I suppose that special "flag" that is used by Microsoft NPS/AD. I t h i n k I tested it before, but couldn't get it to work and had to go back to "ntlmv1-permitted". I'll test it out later today and give some feedback if needed. Regards, Kacper Wirski || W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze:> On Mon, 26 Mar 2018 14:06:24 +0200 > "Dr. Peer-Joachim Koch via samba" <samba at lists.samba.org> wrote: > >> Hi, >> >> we have updated our samba AD domain from 4.4.x to 4.5.x. >> >> The release notes for 4.5.0 included "NTLMv1 authentication disabled >> by default". >> >> So we had to enable it to get our radius (freeradius) server working >> (for 802.1x). >> > You would probably be better off asking freeradius. > >> What would be the best way to change the freeradius configuration in >> such a way, >> >> that we can disable NTLMv1 again. >> >> The radius server is used for WLAN (802.1x) and for VPN. >> >> How insecure is NTLMv1 ? >> > Have you ever heard of 'wannacry' ? or to put it another way 'VERY > insecure' > > Rowland > > >
On Mon, 2018-03-26 at 13:37 +0100, Rowland Penny via samba wrote:> > > Have you ever heard of 'wannacry' ? or to put it another way 'VERY > insecure'To be clear, NTLMv1 and wannacry are unrelated. (Wannacry/wannacrypt used an SMBv1 exploit, but NTLMv1 is negotiable without SMBv1). NTLMv1 is quite insecure, in that it was 24 hours and 100 USD of cloud credit to crack a couple of years back. Avoiding both is of course still a really good idea. SMBv1 isn't so much an insecure protocol as that SMBv2 has the fortune of being implemented more recently, after coding techniques improved both in the Samba Team and at Microsoft (and SMBv2 has some good security features in the more recent versions). So, retiring SMBv1 allows us to retire a lot of code that was written in the 1990's, which is a good thing. I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba