On 26/03/2013 15:09, Phil Mayers wrote:
On 26/03/2013 15:00, Phil Mayers wrote:
You should ask on the Samba lists - if a windows domain member can do
it, there must be a newer API/RPC which Samba could implement.
In fact, a couple of minutes with google gives me this thread:
https://lists.samba.org/archive/samba/2012-March/166440.html
There is a magic flag that Samba needs to set on the RPC. It's unclear
from the thread if that was ever patched into Samba, but if it was, it
was after March 2012, so you'd need at least version after that. I will
see if I can find if it was implemented and when.
It doesn't look like this ever went in - there's no sign of the
MSV1_0_ALLOW_MSVCHAPV2 flag in the latest Samba3 or Samba4 sources
except in header def. files and flag/debug output.
As Andrew Bartlett pointed out, if you allow any MSCHAPv2 (NTLMv1) login
you're effectively not enforcing NTLMv2, but I suppose you could argue
the TLS surrounding PEAP make it "ok".
If you want this working you'll need to download the Samba source and
make the patch described in the thread - in ./source3/utils/ntlm_auth.c
find the "contact_winbind_auth_crap" function, and add:
MSV1_0_ALLOW_MSVCHAPV2
...to the "request.data.auth_crap.logon_parameters" flags.
You might want to re-(re)-raise this on the Samba lists. It seems like
it would be pretty easy to have a "--allow-mschapv2" argument to
ntlm_auth which sets this flag conditionally, and avoids the "we
shouldn't set it all the time" issue.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
