search for: ntlm_auth_username

...h freeradius ("your password has expired" - type - scenarios) You should probably also configure in /mods-available/mschap additionaly: passchange {                 ntlm_auth = "/path/to/ntlm_auth --helper-protocol=ntlm-change-password-1 *--allow-mschapv2*"                 ntlm_auth_username = "username: %{mschap:User-Name}"                 ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN" I'm saying "should probably configure" because  with the settings as above it works just fine, so even it's unnecessary, it doesn't break anything, and unfor...

...efine the correspoding realms in proxy.conf. eg (LNFFFVG is my domain): winbind_username = "%{mschap:%{User-Name}:-None}" winbind_domain = "%{mschap:%{NT-Domain}:-LNFFVG}" ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --helper-protocol=ntlm-change-password-1" ntlm_auth_username = "username: %{mschap:User-Name}" ntlm_auth_domain = "nt-domain: %{mschap:%{NT-Domain}:-LNFFVG}" and in proxy.conf: realm LNFFVG { type = radius authhost = LOCAL accthost = LOCAL } -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66...

Hello, Wiki entry was based on my mail to this list, sorry if I was not clear enough. I'm glad You figured it out yourself, Regards, Kacper W dniu 09.10.2018 o 17:21, Marco Gaiarin via samba pisze: >> Someone have some hints? Thanks. > ...i reply to myself. > > Indeed the option 'ntlm auth = mschapv2-and-ntlmv2-only' (4.7+) or 'ntlm auth = > yes'

...assword has expired" - type - scenarios) You should probably also > configure in /mods-available/mschap additionaly: > > passchange { >                 ntlm_auth = "/path/to/ntlm_auth > --helper-protocol=ntlm-change-password-1 *--allow-mschapv2*" >                 ntlm_auth_username = "username: %{mschap:User-Name}" >                 ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN" > > I'm saying "should probably configure" because  with the settings as > above it works just fine, so even it's unnecessary, it doesn't break &...

ok, tested it, and it works. so to summarize: on samba ad 4.7.x  in smb.conf "ntlm auth" is set to "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in mods-available/mschap you have to add to ntlm_auth --allow-mschapv2 to the whole string OR just use winbind method, which sets correct flag without explicitly adding it. with those settings ntlmv1 is blocked