On 14/07/11 08:45, Johan Meiring wrote:
On 2011/07/13 06:51 PM, Phil Mayers wrote:
If you are using Samba as your domain controllers, then you have
access to
the SAM and can extract the LM/NT hash from whatever backend you use.
So you can just feed that info straight to FreeRADIUS. No need to use
ntlm_auth / samba membership - just dump the NT hashes somewhere
FreeRADIUS
can get at them, or if you're using LDAP, point FreeRADIUS at that LDAP
server and make sure it can read the ntPassword attribute.
This is preferable to using ntlm_auth in fact.
OK...
So the ntlm_auth "hack" is just because a Microsoft Domain
Point of clarity: It's not a hack. It's the same things windows does -
this is how IAS/NPS authenticates MS-CHAP. That's what the RPC call is
for, and they are core, documented Microsoft authenticator APIs.
Controller/LDAP refuses to share the ntPassword attribute with anyone
that does not look like Microsoft?
Yes
Hopefully Samba4 changes that as it should have a copy of the AD database!
Perhaps.
Personally I'm doubtful it will be useful for that many people. Think
about it: the argument goes as follows:
1. Samba 3 & ntlm_auth are too hard to set up / maintain
2. Therefore we'll install Samba 4, make it a domain controller so it
can replicate the SAM, and that will be much easier
Not a convincing argument, I feel. Even if you can convince your AD
admins to *permit* you to promote a Samba 4 to a DC role, I don't see
how it'll be any less hassle to run than a Samba 3 in a server role.
There are a small number of sites who may be able to use this route, but
for complete "ease of use", there's no ideal solution.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
