similar to: NTLM auth, better on a DC or on a DM?

On Fri, 2018-09-07 at 20:14 +0200, Luca Olivetti via samba wrote: > El 7/9/18 a les 17:59, Marco Gaiarin via samba ha escrit: > > > It is better to install squid/freeradius in the same host of a DC, or > > don't bother at all so they can be installed also on a DM? > > I don't know if it's better but I'm running freeradius with ntlm_auth on > a

Would squid and freeradius support LDAP authentication with AD ?   I don't know if you are using NTLM or NTLMv2. On 09/08/18 06:54, Harry Jede via samba wrote: > Hi Marco, > >> Probably is a stupid question, but... >> >> I need to implement some 'NTLM auth' (in squid and MSCHAPv2/PEAP on >> freeradius). >> >> It is better to install

Hi; Samba team say "It is recommended that administrators set these additional options, if compatible with their network environment:" ntlm auth = no I use samba with FreeRadius. I configure "ntlm_ auth = no" but freeradius users not connected to wifi. I use ntlm_auth in FreeRadius side.. best regards

Hi, My goal is to make use of samba 4 and freeradius to authenticate user to use wifi network (WPA2 enterprise). The setup is to setup Samba 4.0.3 in machine A and setup freeradius in machine B. By reading: Document A: http://wiki.samba.org/index.php/Samba4/beyond Document B: https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network Document C:

It is an issue that I myself would also like to solve. I found multiple threads in samba and freeradius mailing lists. It seems that every couple of months there is question like this either here on FR mailing list and all point down to the same issue, that is: freeradius uses ntlm_auth (even when using winbind with newer freeradius versions, it also in the end uses ntlm_auth). And since

Hello, I can definately confirm that it's working. My basic setup is: 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x smb.conf on the DC is pretty basic, most important is obviously in [globall]:         ntlm auth =

Hi, we have updated our samba AD domain from 4.4.x to 4.5.x. The release notes for 4.5.0 included  "NTLMv1 authentication disabled by default". So we had to enable it to get our radius (freeradius) server working (for 802.1x). What would be the best way to change the freeradius configuration in such a way, that we can disable NTLMv1 again. The radius server is used for WLAN

Currently (samba 4 NT-like domains) i use extensively NTLM auth in freeradius and more mildly in squid, respectively with: Freeradius (mschap module): ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=SANVITO --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" squid3: auth_param ntlm program /usr/bin/ntlm_auth

ok, tested it, and it works. so to summarize: on samba ad 4.7.x  in smb.conf "ntlm auth" is set to "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in mods-available/mschap you have to add to ntlm_auth --allow-mschapv2 to the whole string OR just use winbind method, which sets correct flag without explicitly adding it. with those settings ntlmv1 is blocked

Hi Alexander, I'm terribly sorry. We didnt have the "ntlm auth" parameter configured on the DCs at all. I added it and it just works. Thanks for your help. Now I just need to figure out how I can make WLAN-specific LDAP-Group authentication. e. g. production WLAN needs LDAP group "wlan_production" and management WLAN needs the "wlan_management" group. I

I can share my notes, we authenticate UniFi clients via Freeradius against Samba AD. We also check group membership which you might or might not need: ## 4 FreeRADIUS ### 4.1 Basics ```bash apt install freeradius freeradius-ldap freeradius-utils # create new DH-params openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048 ``` ### 4.2 Configure Authentication - modify mschap to use winbind,

Dear List, My domain +/- works, so I try to fix rest services based on domain NT/AD.... I use WiFi authorization with PEAP/MSCHAPv2 + freeradius (before migration it works). And after migration autorization does not work. Freeradius server is on samba domain member. So i check domain connectivity: [root at see-you-later samba]# net ads testjoin Join is OK [root at see-you-later samba]#

Ok, I finally could try it out, and it seems to actually work, but You need samba 4.7 on all machines, not only AD, but also server with freeradius. I didn't get a chance to test it locally, that is samba AD + freeradius on the same server. Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work (got simple "nt_status_wrong_password") but: 4.7.6 AD and 4.7.1

Hello Alexander, thanks Alexander for these configuration snippets. Which version of Samba are you using? Is this on debian bullseye? Is the FreeRADIUS server installed on a DC or on a Domain Member? (I just tested the latter). is "ntlm auth = yes" OK for the DCs and the domain member or does it have to be "mschapv2-and-ntlmv2-only" for all servers (DCs + Member)? It

Also I just facepalmed, as I double checked smb.conf right after sending mail, and in samba 4.7 there are new options available for "ntlm auth", as stated in docs: |mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool). So that is is I suppose that special "flag" that is used by

Hello, I've done some further testing, and I have to correct myself. I was (kind of obviously as I think about it) wrong about samba on the freeradius server requiring v. 4.7. What makes all the difference is the method used by mschap. Traditionally in freeradius in mods-available/mschap you'll use something like: ntlm_auth = "/path/to/ntlm_auth --request-nt-key

Hi Matthias, we?re using Debian Bullseye with the backports repo. So version is a mixture of - Samba version 4.17.3-Debian - Samba version 4.17.7-Debian We?ve installed it directly on the DC?s as well. In my opinion using "ntlm auth = yes? should be fine. Did you try using a simple RADIUS secret? In my experience long secrets or ones containing special characters don?t work very well. I

Hi Marco, > Probably is a stupid question, but... > > I need to implement some 'NTLM auth' (in squid and MSCHAPv2/PEAP on > freeradius). > > It is better to install squid/freeradius in the same host of a DC, or > don't bother at all so they can be installed also on a DM? This is not a stupid question! We have sveral squid proxy with ntlm_auth running. Ntlm_auth

Hai, It does not happen often but yes, i also need some help as i cant know everything also and im new with freeradius. Im working on a configuration for samba member + freeradius with ntlm_auth. Why ntlm_auth, because the next one is kerberos and ldap auth to configure.. I want to have some fallback options here and you have to start somewhere. This is running on my new proxy/gateway

> I guess we have to look at the conf files then, first these two: Thank you for the config file snippets. I can confirm mine were almost identical, so I've tweaked them so that they are now exactly the same as yours except for the "--require-membership-of=example\authorization_groupname" line in ntlm_auth. Unfortunately it's still erroring out: (7) mschap: Creating