diff options
| author | Herwin Weststrate <herwin@quarantainenet.nl> | 2015-12-09 18:47:47 +0100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2016-03-11 22:58:18 +0100 |
| commit | 0b500d413c5b76188c0c566318be7079b777237c (patch) | |
| tree | a6482ad1bbc5efb00d012ca166a44c160b86b36b /docs-xml | |
| parent | ad5b9c3df2f2e3c93642fb1c069a6f4c56eb94f4 (diff) | |
| download | samba-0b500d413c5b76188c0c566318be7079b777237c.tar.gz | |
Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth
An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).
It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.
It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).
After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).
$ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
Logon failure (0xc000006d)
$ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694
Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl>
Reviewed-by: Kai Blin <kai@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'docs-xml')
| -rw-r--r-- | docs-xml/manpages/ntlm_auth.1.xml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/docs-xml/manpages/ntlm_auth.1.xml b/docs-xml/manpages/ntlm_auth.1.xml index 042893acbac..616d537890d 100644 --- a/docs-xml/manpages/ntlm_auth.1.xml +++ b/docs-xml/manpages/ntlm_auth.1.xml @@ -381,6 +381,11 @@ </varlistentry> <varlistentry> + <term>--allow-mschapv2</term> + <listitem><para>Explicitly allow MSCHAPv2.</para></listitem> + </varlistentry> + + <varlistentry> <term>--offline-logon</term> <listitem><para>Allow offline logons for plain text auth. </para></listitem> |