Well I cannot provide proof that the Microsoft radius server is setting
the bit. However setting the MSV1_0_ALLOW_MSVCHAPV2 bit in the
request.data.auth_crap.logon_parameters of the
contact_winbind_auth_crap() function fixes the issue with ntlm_auth not
being able to authenticate mschapv2 to a W2008 DC where the
LMCompatibility level is set to 5 => " Clients use only NTLMv2
authentication, and they use NTLMv2 session security if the server
supports it. Domain controller refuses LM and NTLM authentication
responses, but it accepts NTLMv2".
ntlm_auth.c:
request.data.auth_crap.logon_parameters =
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_MSVCHAPV2 ;
Glenn
On 3/5/12 1:19 PM, Andrew Bartlett wrote:
On Mon, 2012-03-05 at 10:54 -0700, Glenn Machin wrote:
So what is the flag that should be set? From librpc/gen_ndr/netlogon.h
I see MSV1_0_ALLOW_MSVCHAPV2. Is that the flag that needs to be set?
I can't seem to find any documentation on that particular flag.
http://msdn.microsoft.com/en-us/library/cc237070%28v=prot.13%29.aspx is
the only clue I have.
It would be great if we could see some proof that this is set by
Microsoft's RADIUS server in the same situation, just to be sure we
understand it. Or we can ask Microsoft.
Andrew Bartlett
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba