On Fri, 2012-03-02 at 15:08 +0100, NdK wrote: > Il 01/03/2012 22:09, Glenn Machin ha scritto: > > > I am using freeradius2 which then calls ntlm_auth passing the > > nt-response and challenge generated as part of the peap mschapv2 > > exchange. However it does not seem to want to work. The version of > > samba I am using is samba3x-3.5.10. > I've recently setup a Squeeze box with FR and samba. Have had to use > "backports" repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave > troubles. Upgrading to 3.5.11 solved.
The big issue here is that MSCHAPv2 is not NTLMv2. It is only a little more secure than NTLM. There is a flag in logon_parameters that the domain member can set (and which Samba should set) that indicates that this particular authentication should be regarded as NTLMv2 however. we need to confirm it should be set in this situation. (This is the same logon_parameters that carries the 'allow machine account authentication' flag). I dislike the 'lie', but I'm very happy to review such a patch, I just keep forgetting to add the handling for this myself. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba