NTLM, MSCHAPv2, squid & freeradius...

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

NTLM, MSCHAPv2, squid & freeradius...

Samba - General mailing list

Currently (samba 4 NT-like domains) i use extensively NTLM auth in
freeradius and more mildly in squid, respectively with:

Freeradius (mschap module):
  ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=SANVITO --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

squid3:
  auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=SANVITO --require-membership-of="SANVITO\\domusers"


I'm using debian jessie, with Louis backport packages, eg:
 samba: 2:4.5.12+dfsg-2~bpo8+1
 squid3: 3.4.8-6+deb8u4
 freeradius: 2.2.5+dfsg-0.2+deb8u1


Two question.

a) i have to expect troubles? Eg, something changed between NT and AD
 mode that can breaks all the stuff?

b) there's some better way to integrate an AD domain with
 squid/freeradius?


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NTLM, MSCHAPv2, squid & freeradius...

Samba - General mailing list
On Wed, 2018-01-10 at 17:10 +0100, Marco Gaiarin via samba wrote:

> Currently (samba 4 NT-like domains) i use extensively NTLM auth in
> freeradius and more mildly in squid, respectively with:
>
> Freeradius (mschap module):
>   ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=SANVITO --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
> squid3:
>   auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=SANVITO --require-membership-of="SANVITO\\domusers"
>
>
> I'm using debian jessie, with Louis backport packages, eg:
>  samba: 2:4.5.12+dfsg-2~bpo8+1
>  squid3: 3.4.8-6+deb8u4
>  freeradius: 2.2.5+dfsg-0.2+deb8u1
>
>
> Two question.
>
> a) i have to expect troubles? Eg, something changed between NT and AD
>  mode that can breaks all the stuff?
>
> b) there's some better way to integrate an AD domain with
>  squid/freeradius?

That all looks fine.  In newer Samba versions NTLMv1 (as used in
MSCHAPv2) is disabled by default, see the ntlm auth parameter for
details.

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba