search for: mschpav2

...about, but not actually tested is in this old thread: https://lists.samba.org/archive/samba/2012-March/166496.html I'm not sure if it works, or is there some other workaround. As far as I understand there is a special "flag" that can be send with freeradius, that will force ntlmv1-mschpav2 response from AD DC even if ntlmv1 is overall disabled, that is how supposedly Microsoft solved it with their ad/nps implementation.. Maybe someone here wil have better advice? Regards, Kacper Wirski W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze: > On Mon, 26 Mar 2018 14:06:24 +02...

...ide/Active-Directory-direct-via-winbind What I can't test right now, if it will work with mchapv2 password change (if required), since freeradius relies directly on ntlm_auth there. My question on the other hand is this: - Why this "winbind" method works fine with "ntlm auth = mschpav2-and-ntlmv2-only" on the AD DC, but "ntlm_auth" doesn't? Winbind method supposedly also uses ntlm_auth in the end? Regards, Kacper W dniu 26.03.2018 o 23:09, Jonathan Hunter via samba pisze: > On 26 March 2018 at 21:38, Kacper Wirski via samba <samba at lists.samba.org&gt...

...sed by mschap. > What I can't test right now, if it will work with mchapv2 password change (if required), since freeradius relies directly on ntlm_auth there. > > > My question on the other hand is this: > - Why this "winbind" method works fine with "ntlm auth = mschpav2-and-ntlmv2-only" on the AD DC, but "ntlm_auth" doesn't? Winbind method supposedly also uses ntlm_auth in the end? Because you missed the --allow-mschapv2 option to ntlm_auth that sets the flag the new winbind method also uses. The winbind method avoids the fork()/exec() of ntl...

Hello, I can definately confirm that it's working. My basic setup is: 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x smb.conf on the DC is pretty basic, most important is obviously in [globall]:         ntlm auth =

Hi, we have updated our samba AD domain from 4.4.x to 4.5.x. The release notes for 4.5.0 included  "NTLMv1 authentication disabled by default". So we had to enable it to get our radius (freeradius) server working (for 802.1x). What would be the best way to change the freeradius configuration in such a way, that we can disable NTLMv1 again. The radius server is used for WLAN

Ok, I finally could try it out, and it seems to actually work, but You need samba 4.7 on all machines, not only AD, but also server with freeradius. I didn't get a chance to test it locally, that is samba AD + freeradius on the same server. Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work (got simple "nt_status_wrong_password") but: 4.7.6 AD and 4.7.1