Displaying 6 results from an estimated 6 matches for "mschpav2".
Did you mean:
mschapv2
2018 Mar 26
1
freeradius + NTLM + samba AD 4.5.x
...about, but not actually tested is in this
old thread:
https://lists.samba.org/archive/samba/2012-March/166496.html
I'm not sure if it works, or is there some other workaround. As far as I
understand there is a special "flag" that can be send with freeradius,
that will force ntlmv1-mschpav2 response from AD DC even if ntlmv1 is
overall disabled, that is how supposedly Microsoft solved it with their
ad/nps implementation..
Maybe someone here wil have better advice?
Regards,
Kacper Wirski
W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze:
> On Mon, 26 Mar 2018 14:06:24 +02...
2018 Mar 26
2
freeradius + NTLM + samba AD 4.5.x
...ide/Active-Directory-direct-via-winbind
What I can't test right now, if it will work with mchapv2 password change (if required), since freeradius relies directly on ntlm_auth there.
My question on the other hand is this:
- Why this "winbind" method works fine with "ntlm auth = mschpav2-and-ntlmv2-only" on the AD DC, but "ntlm_auth" doesn't? Winbind method supposedly also uses ntlm_auth in the end?
Regards,
Kacper
W dniu 26.03.2018 o 23:09, Jonathan Hunter via samba pisze:
> On 26 March 2018 at 21:38, Kacper Wirski via samba <samba at lists.samba.org>...
2018 Mar 27
0
freeradius + NTLM + samba AD 4.5.x
...sed by mschap.
> What I can't test right now, if it will work with mchapv2 password change (if required), since freeradius relies directly on ntlm_auth there.
>
>
> My question on the other hand is this:
> - Why this "winbind" method works fine with "ntlm auth = mschpav2-and-ntlmv2-only" on the AD DC, but "ntlm_auth" doesn't? Winbind method supposedly also uses ntlm_auth in the end?
Because you missed the --allow-mschapv2 option to ntlm_auth that sets
the flag the new winbind method also uses. The winbind method avoids
the fork()/exec() of ntl...
2018 Mar 27
5
ODP: Re: freeradius + NTLM + samba AD 4.5.x
Hello,
I can definately confirm that it's working.
My basic setup is:
1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7
2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight
from centos repo. // I tested also on freeradius 3.0.14 and samba 4.7.x
smb.conf on the DC is pretty basic, most important is obviously in
[globall]:
ntlm auth =
2018 Mar 26
4
freeradius + NTLM + samba AD 4.5.x
Hi,
we have updated our samba AD domain from 4.4.x to 4.5.x.
The release notes for 4.5.0 included "NTLMv1 authentication disabled by
default".
So we had to enable it to get our radius (freeradius) server working
(for 802.1x).
What would be the best way to change the freeradius configuration in
such a way,
that we can disable NTLMv1 again.
The radius server is used for WLAN
2018 Mar 26
3
freeradius + NTLM + samba AD 4.5.x
Ok, I finally could try it out, and it seems to actually work, but You
need samba 4.7 on all machines, not only AD, but also server with
freeradius. I didn't get a chance to test it locally, that is samba AD +
freeradius on the same server.
Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work
(got simple "nt_status_wrong_password")
but: 4.7.6 AD and 4.7.1