Re: samba 4.4.2 freeradius authentication with ntlm_auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2016-04-15 at 14:06 +0300, barış tombul wrote:
> Hi;
> Samba team say "It is recommended that administrators set these
> additional
> options, if compatible with their network environment:"
> 
> 
> ntlm auth = no
> 
> 
> I use samba with FreeRadius.
> 
> 
> I configure "ntlm_ auth = no"  but freeradius users not connected to
> wifi.
> 
> 
> I use ntlm_auth in FreeRadius side..

Yes, this really, really sucks.  MSCHAPv2 is NTLM, not NTLMv2 based. 
 This is despite NTLMv2 being around when they 'designed' this
mechanism.  Sadly no attempt has been made to somehow get an MSCHAPv3
in that uses NTLMv2.

On Windows, setting a special flag allows this horrible insecure
mechanism to work on networks that otherwise only allow NTLMv2.  Samba
does not honour that flag, but I guess I'm going to need to add a
'ntlm_auth = only_for_mschapv2' setting.

In short, MSCHAPv2 protects the network perimeter, yet has worse
security then you would dare to use even on a well-trusted network. 

I realise it is often over TLS, but as with another of our CVEs, we
know few clients check certificates, so this isn't any help.

I've been in presentations where they said they could crack it in 24
hours and $100 of could-compute time!

I don't know of a good solution here.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




[Index of Archives]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [RAID]     [Trinity TED Users]     [Yosemite News]
  Powered by Linux