Also I just facepalmed, as I double checked smb.conf right after sending mail, and in samba 4.7 there are new options available for "ntlm auth", as stated in docs: |mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool). So that is is I suppose that special "flag" that is used by Microsoft NPS/AD. I t h i n k I tested it before, but couldn't get it to work and had to go back to "ntlmv1-permitted". I'll test it out later today and give some feedback if needed. Regards, Kacper Wirski || W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze:> On Mon, 26 Mar 2018 14:06:24 +0200 > "Dr. Peer-Joachim Koch via samba" <samba at lists.samba.org> wrote: > >> Hi, >> >> we have updated our samba AD domain from 4.4.x to 4.5.x. >> >> The release notes for 4.5.0 included "NTLMv1 authentication disabled >> by default". >> >> So we had to enable it to get our radius (freeradius) server working >> (for 802.1x). >> > You would probably be better off asking freeradius. > >> What would be the best way to change the freeradius configuration in >> such a way, >> >> that we can disable NTLMv1 again. >> >> The radius server is used for WLAN (802.1x) and for VPN. >> >> How insecure is NTLMv1 ? >> > Have you ever heard of 'wannacry' ? or to put it another way 'VERY > insecure' > > Rowland > > >
On 26 March 2018 at 14:31, Kacper Wirski via samba <samba at lists.samba.org> wrote:> Also I just facepalmed, as I double checked smb.conf right after sending > mail, and in samba 4.7 there are new options available for "ntlm auth", as > stated in docs: > > |mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises > that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool). > [...] > I'll test it out later today and give some feedback if needed. >I tried exactly this a few days ago, and couldn't get it working. Admittedly, I didn't spend too long on it, but I changed 'ntlm auth = yes' to 'ntlm auth = mschapv2-and-ntlmv2-only' but freeradius then didn't authenticate me.. Do let me know how it goes for you, I also thought that this setting would be much better for me.. Alternatively.. if there is a way of setting 'ntlm auth' on a per-IP basis, then I could only enable it for the freeradius server. I wonder if I can add 'include = /usr/local/samba/etc/smb.conf.%I' and then include 'ntlm auth = yes' in a smb.conf just for the freeradius server.. I will report back! -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
On 26 March 2018 at 21:16, Jonathan Hunter <jmhunter1 at gmail.com> wrote:> > Alternatively.. if there is a way of setting 'ntlm auth' on a per-IP > basis, then I could only enable it for the freeradius server. I wonder if I > can add 'include = /usr/local/samba/etc/smb.conf.%I' and then include > 'ntlm auth = yes' in a smb.conf just for the freeradius server.. I will > report back! >I now realise I have no idea how ntlm-auth actually connects to samba, and whether this approach would work - i.e., what IP address does it come from, or does it use socket connections? In my example, the Samba server is also the freeradius server, and uses one of the following two commands (I found ntlm_auth in two freeradius config files, not sure which one is used any more).. but either way, I don't know how it would interact with any included smb.conf files. /usr/local/samba/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" or /usr/local/samba/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} Maybe I could somehow use ntlm-auth with "--option=ntlm-auth=yes"? The man page indicates I can set smb.conf options from the commandline.. I'm just not sure how ntlm-auth works, i.e. does it talk to a running smbd (and hence use its smb.conf) or does it read the LDB files or similar and hence parse smb.conf itself? -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Ok, I finally could try it out, and it seems to actually work, but You need samba 4.7 on all machines, not only AD, but also server with freeradius. I didn't get a chance to test it locally, that is samba AD + freeradius on the same server. Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work (got simple "nt_status_wrong_password") but: 4.7.6 AD and 4.7.1 samba + freeradius works just fine. It's clearly visible in logs. While using "ntlm auth = yes" I was getting in audit log Authentication_passwordType = NTLMv1, but with ntlm auth = ntlmv2-and-mschap2-only audit log shows Authentication_passwordType as "MSCHAP2" Not sure what's the case, maybe only starting with samba 4.7 ntlm_auth can send correct flag? Hope that helps. W dniu 26.03.2018 o 22:16, Jonathan Hunter via samba pisze:> On 26 March 2018 at 14:31, Kacper Wirski via samba <samba at lists.samba.org> > wrote: > >> Also I just facepalmed, as I double checked smb.conf right after sending >> mail, and in samba 4.7 there are new options available for "ntlm auth", as >> stated in docs: >> >> |mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises >> that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool). >> [...] >> I'll test it out later today and give some feedback if needed. >> > I tried exactly this a few days ago, and couldn't get it working. > Admittedly, I didn't spend too long on it, but I changed 'ntlm auth = yes' > to 'ntlm auth = mschapv2-and-ntlmv2-only' but freeradius then didn't > authenticate me.. > > Do let me know how it goes for you, I also thought that this setting would > be much better for me.. > > Alternatively.. if there is a way of setting 'ntlm auth' on a per-IP basis, > then I could only enable it for the freeradius server. I wonder if I can > add 'include = /usr/local/samba/etc/smb.conf.%I' and then include 'ntlm > auth = yes' in a smb.conf just for the freeradius server.. I will report > back! >