similar to: Samba authentication

It is an issue that I myself would also like to solve. I found multiple threads in samba and freeradius mailing lists. It seems that every couple of months there is question like this either here on FR mailing list and all point down to the same issue, that is: freeradius uses ntlm_auth (even when using winbind with newer freeradius versions, it also in the end uses ntlm_auth). And since

Hi, we have updated our samba AD domain from 4.4.x to 4.5.x. The release notes for 4.5.0 included  "NTLMv1 authentication disabled by default". So we had to enable it to get our radius (freeradius) server working (for 802.1x). What would be the best way to change the freeradius configuration in such a way, that we can disable NTLMv1 again. The radius server is used for WLAN

Folks, Our campus AD team has decided that they ... >Need to disable LM/NTLMv1 authentication support to provide greater >security and be consistent with the CITES authentication roadmap. Noble thoughts, but there hasn't been much thought of the ramifications for other, interoperable systems like Samba. I can see that modern Samba versions support NTLMv1 and NTLMv2 methods.

Ok, I finally could try it out, and it seems to actually work, but You need samba 4.7 on all machines, not only AD, but also server with freeradius. I didn't get a chance to test it locally, that is samba AD + freeradius on the same server. Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work (got simple "nt_status_wrong_password") but: 4.7.6 AD and 4.7.1

I discovered the situation. When attempting to logon from Windows 2008R2 to Samba4 is made we can see in Samba smbd log the following important for understanding the situation lines: [2017/11/20 13:25:52.040094, 2, pid=7100, effective(0, 0), real(0, 0)] ../libcli/auth/ntlm_check.c:430(ntlm_password_check) ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user <username> [2017/11/20

On Fri, 3 Nov 2023 12:27:57 +0100 cYuSeDfZfb cYuSeDfZfb via samba <samba at lists.samba.org> wrote: > Hi, > > I have configured my (RHEL9) standalone samba server with "ntlm auth = > disabled" because we understand that ntlm should be disabled nowadays. > > However, we can no longer use smbclient (4.17) to connect to that > server, as: > > session

Also I just facepalmed, as I double checked smb.conf right after sending mail, and in samba 4.7 there are new options available for "ntlm auth", as stated in docs: |mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool). So that is is I suppose that special "flag" that is used by

On Tue, 16 Jun 2020, Rowland penny via samba wrote: > On 16/06/2020 12:41, Harald Hannelius via samba wrote: >> I have Samba AD-domain with two fileservers and two Samba DS-servers. Most >> people can authenticate OK, but one user always gets "wrong password". > What versions of Samba ? All servers are 4.9.5-Debian. >> Auth: [SMB2,(null)] user [SAD]\[username]

Hi there, I'm trying to get FreeRADIUS to authenticate against my Samba DC. It's Samba 4.7.6-ubuntu running on Ubuntu 18 (kernel version 4.15.0-66-generic). It came nicely packaged with Zentyal, which provides a nice GUI for managing a domain, as well as a CA and lots of cool small features. That same Zentyal also includes support for FreeRADIUS (3.0.16). This is my smb.conf:

Hello, i set up a squid proxy that should authenticate users against a samba PDC using winbind. It works fine as long i allow ntlmv1: on the PDC: ntlm auth = yes lanman auth = no client ntlmv2 auth = yes If i restrict the domains authentication method to ntlmv2 - that's what i want - with these settings: ntlm auth = no lanman auth = no client

Hello, I can definately confirm that it's working. My basic setup is: 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x smb.conf on the DC is pretty basic, most important is obviously in [globall]:         ntlm auth =

ok, tested it, and it works. so to summarize: on samba ad 4.7.x  in smb.conf "ntlm auth" is set to "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in mods-available/mschap you have to add to ntlm_auth --allow-mschapv2 to the whole string OR just use winbind method, which sets correct flag without explicitly adding it. with those settings ntlmv1 is blocked

On Tue, 2023-04-04 at 07:55 +0000, Tim ODriscoll wrote: > On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: > > > > > > Unfortunately it's still erroring out: > > (7) mschap: Creating challenge hash with username: host/SL- > > 6S4BBS3.MYDOMAIN.co.uk > > (7) mschap: Client is using MS-CHAPv2 > > > > > Is this set as a

> You said earlier that you have set ntlm auth = mschapv2-and-ntlmv2-only Yes, I found that here: https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory > This means to reject NTLMv1, which MSCHAPv2 is cryptographically, unless the client makes special pleading that it used MSCHAPv2 with it's client. > This is related to the missing ntlm_auth option

On Sat, 11 Nov 2017 13:32:31 -0600 Andrew Walker <walker.aj325 at gmail.com> wrote: > I thought "net use" will use ntlm for auth (no clear-text passwords > passing over the wire). At least that's what I see in wireshark on > modern windows. > If you use NTLMv1, you might as well use plain passwords. Given the NTLMv1 password, it would take your average badhat

Hello, I've done some further testing, and I have to correct myself. I was (kind of obviously as I think about it) wrong about samba on the freeradius server requiring v. 4.7. What makes all the difference is the method used by mschap. Traditionally in freeradius in mods-available/mschap you'll use something like: ntlm_auth = "/path/to/ntlm_auth --request-nt-key

Hi folks, I've been sifting through various threads on GSSAPI and NTLM support, and I'm wondering if anyone out there can confirm or deny GSSAPI IMAP auth support in Microsoft Outlook 2016 (Windows)? Perhaps there's some magic registry key to change IMAP auth from PLAIN to GSSAPI? We're trying to do single sign-on + e-mail for Windows domain users; Thunderbird GSSAPI works

Thank you Rowland - adding "ntlm auth = yes" in the global section and rebooting the machine has provided access once again to the NAS. In answer to your questions - the smb.conf was from the PCLOS machine.  Question - I had tried sec=ntlm in the mount statement without it being in the smb.conf - did that not work because ntlmv1 had not been enabled? As to the question marks, that

On 8/20/2018 11:32 AM, Rowland Penny via samba wrote: > On Mon, 20 Aug 2018 14:37:32 +0530 > Amit via samba <samba at lists.samba.org> wrote: > >>>> >>>> >>>> Query: >>>> 1. Is there a limit on max number of connections to share? There >>>> must be what's the max? 2. Is using force user, force group good

Hey Rowland! Thanks for response. I admire your work. Please find my responses inline. On 08/20/2018 02:19 PM, Rowland Penny via samba wrote: > On Mon, 20 Aug 2018 11:06:48 +0530 > Amit via samba <samba at lists.samba.org> wrote: > >> Dear Devels, >> >> samba-4.2.3-10.el7.x86_64 >> >> # vim smb.conf >> [global] >> workgroup =