Re: Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sat, 2012-03-03 at 12:16 +0100, NdK wrote:
> Il 03/03/2012 08:04, Andrew Bartlett ha scritto:
> 
> >> I've recently setup a Squeeze box with FR and samba. Have had to use
> >> "backports" repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave
> >> troubles. Upgrading to 3.5.11 solved.
> > The big issue here is that MSCHAPv2 is not NTLMv2.  It is only a little
> > more secure than NTLM.  There is a flag in logon_parameters that the
> FR runs ntlm_auth to obtain NT key. So, IIUC, it should do an NTLMv2
> auth in the last step. Am I wrong?

MSCHAPv2 is a derivation of NTLM, not NTLMv2.  FreeRadius sends the
(effective) challenge (based on client and server chosen values, and
salt), and the NT response.  ntlm_auth returns the user session key to
allow FreeRADIUS's client (the VPN endpoint etc) to encrypt the
session. 

There is no way to 'upgrade' that to NTLMv2, as NTLMv2 is a different
cryptosystem on input and output. 

What you can however do is set a flag telling the DC 'pretend this was
NTLMv2 for the purposes of the NTLMv2 only rule'.  We need to work out
if this the right thing to do.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Linux]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [Internet Dating Forums]     [RAID]     [Yosemite News]     [Photography]

Add to Google Powered by Linux