On Sat, 2012-03-03 at 12:16 +0100, NdK wrote: > Il 03/03/2012 08:04, Andrew Bartlett ha scritto: > > >> I've recently setup a Squeeze box with FR and samba. Have had to use > >> "backports" repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave > >> troubles. Upgrading to 3.5.11 solved. > > The big issue here is that MSCHAPv2 is not NTLMv2. It is only a little > > more secure than NTLM. There is a flag in logon_parameters that the > FR runs ntlm_auth to obtain NT key. So, IIUC, it should do an NTLMv2 > auth in the last step. Am I wrong?
MSCHAPv2 is a derivation of NTLM, not NTLMv2. FreeRadius sends the (effective) challenge (based on client and server chosen values, and salt), and the NT response. ntlm_auth returns the user session key to allow FreeRADIUS's client (the VPN endpoint etc) to encrypt the session. There is no way to 'upgrade' that to NTLMv2, as NTLMv2 is a different cryptosystem on input and output. What you can however do is set a flag telling the DC 'pretend this was NTLMv2 for the purposes of the NTLMv2 only rule'. We need to work out if this the right thing to do. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba