Re: Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Sat, 2012-03-03 at 12:16 +0100, NdK wrote:
> Il 03/03/2012 08:04, Andrew Bartlett ha scritto:
> >> I've recently setup a Squeeze box with FR and samba. Have had to use
> >> "backports" repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave
> >> troubles. Upgrading to 3.5.11 solved.
> > The big issue here is that MSCHAPv2 is not NTLMv2.  It is only a little
> > more secure than NTLM.  There is a flag in logon_parameters that the
> FR runs ntlm_auth to obtain NT key. So, IIUC, it should do an NTLMv2
> auth in the last step. Am I wrong?

MSCHAPv2 is a derivation of NTLM, not NTLMv2.  FreeRadius sends the
(effective) challenge (based on client and server chosen values, and
salt), and the NT response.  ntlm_auth returns the user session key to
allow FreeRADIUS's client (the VPN endpoint etc) to encrypt the

There is no way to 'upgrade' that to NTLMv2, as NTLMv2 is a different
cryptosystem on input and output. 

What you can however do is set a flag telling the DC 'pretend this was
NTLMv2 for the purposes of the NTLMv2 only rule'.  We need to work out
if this the right thing to do.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

To unsubscribe from this list go to the following URL and read the

[Linux]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [Internet Dating Forums]     [RAID]     [Yosemite News]     [Photography]

Add to Google Powered by Linux