Created attachment 12456 [details]
As mentioned in the release notes, Samba 4.5.0 disables 'ntlm auth' by default, which breaks MSCHAPv2 auth. I was looking for a way to fix MSCHAPv2 without having to globally re-enable NTLMv1.
Commit 0b500d413c5b76188c0c566318be7079b777237c adds `ntlm_auth --allow-mschapv2` for client-side support for MSV1_0_ALLOW_MSVCHAPV2, but doesn't implement the server side. (It seems this was mainly for authenticating against real Windows servers?)
Attached is my first (working) attempt to implement handling of this flag.
What we need is a variant on this patch that changes 'ntlm auth' into a tri-state parameter, with a new, still off-by-default option of 'mschapv2-only', that will allow NTLM authentication only for those domain member clients that promise they are really providing MSCHAPv2 authentication services.
This should at least allow the other uses of NTLM authentication to be disabled.
To make the option, change:
in docs-xml/smbdotconf/security/ntlmauth.xml and then pattern on other enum types in the loadparm code.
The main task actually will be to write a test to confirm we allow/deny the right things in the right cases with the new option.
Created attachment 12789 [details]
Something like this, I assume? (The combinations were manually tested, but I can't quite wrap my head around the Samba testsuite...)
Yes, with testing this would be the correct approach!
I think it is too much to ask from non samba core developers to dive into our testsuite infrastructure. Andrew: as Mantas provided the patch and already said that he doesn't get through the testsuit, would you want to add a test maybe?
This should be easier now we have tests demonstrating how to operate SamLogonEx from python.
Fixed by 0623a21250b9c0f5152a003078a4bc4428a284c2 in master for 4.7!
Thanks for the patch and for your persistence on this.
Sorry, the commit in master is d139d77ae3dbc490525ac94f46276d790bc2d879.