On Fri, 2016-04-15 at 14:06 +0300, barış tombul wrote: > Hi; > Samba team say "It is recommended that administrators set these > additional > options, if compatible with their network environment:" > > > ntlm auth = no > > > I use samba with FreeRadius. > > > I configure "ntlm_ auth = no" but freeradius users not connected to > wifi. > > > I use ntlm_auth in FreeRadius side.. Yes, this really, really sucks. MSCHAPv2 is NTLM, not NTLMv2 based. This is despite NTLMv2 being around when they 'designed' this mechanism. Sadly no attempt has been made to somehow get an MSCHAPv3 in that uses NTLMv2. On Windows, setting a special flag allows this horrible insecure mechanism to work on networks that otherwise only allow NTLMv2. Samba does not honour that flag, but I guess I'm going to need to add a 'ntlm_auth = only_for_mschapv2' setting. In short, MSCHAPv2 protects the network perimeter, yet has worse security then you would dare to use even on a well-trusted network. I realise it is often over TLS, but as with another of our CVEs, we know few clients check certificates, so this isn't any help. I've been in presentations where they said they could crack it in 24 hours and $100 of could-compute time! I don't know of a good solution here. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba