[Samba] samba 4.4.2 freeradius authentication with ntlm_auth

[barış tombul]

Hi;
Samba team say "It is recommended that administrators set these additional
options, if compatible with their network environment:"


ntlm auth = no


I use samba with FreeRadius.


I configure "ntlm_ auth = no" but freeradius users not connected to wifi.


I use ntlm_auth in FreeRadius side..


best regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Luca Olivetti]

El 15/04/16 a les 13:06, barış tombul ha escrit:

> Hi;
> Samba team say "It is recommended that administrators set these additional
> options, if compatible with their network environment:"
>
>
> ntlm auth = no
>
>
> I use samba with FreeRadius.
>
>
> I configure "ntlm_ auth = no" but freeradius users not connected to wifi.
>
>
> I use ntlm_auth in FreeRadius side..
>

I found this
http://freeradius.1045715.n5.nabble.com/NTLMv2-with-FreeRADIUS-td5726394.html

and this

http://freeradius.1045715.n5.nabble.com/definitive-info-on-authenticating-to-AD-via-NTLMv2-td5719249.html

"The problem here is that Samba doesn't have any way to set
MSV1_0_ALLOW_MSVCHAPV2 when calling the relevant RPC. This is a trivial,
one-bit flag."

I don't know if this "trivial one-bit flag" made into samba or not :-(


Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es/
Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007

[Luca Olivetti]

El 15/04/16 a les 13:45, Luca Olivetti ha escrit:

> El 15/04/16 a les 13:06, barış tombul ha escrit:
>> Hi;
>> Samba team say "It is recommended that administrators set these
>> additional
>> options, if compatible with their network environment:"
>>
>>
>> ntlm auth = no
>>
>>
>> I use samba with FreeRadius.
>>
>>
>> I configure "ntlm_ auth = no" but freeradius users not connected to
>> wifi.
>>
>>
>> I use ntlm_auth in FreeRadius side..
>>
>
>
> I found this
> http://freeradius.1045715.n5.nabble.com/NTLMv2-with-FreeRADIUS-td5726394.html
>
>
> and this
>
> http://freeradius.1045715.n5.nabble.com/definitive-info-on-authenticating-to-AD-via-NTLMv2-td5719249.html
>
>
> "The problem here is that Samba doesn't have any way to set
> MSV1_0_ALLOW_MSVCHAPV2 when calling the relevant RPC. This is a trivial,
> one-bit flag."
>
> I don't know if this "trivial one-bit flag" made into samba or not :-(

I checked the 4.4.1 sources and, no, it's not there.

[Louis Munro]

> On Apr 15, 2016, at 7:45 , Luca Olivetti <lu...@wetron.es> wrote:
>
> El 15/04/16 a les 13:06, barış tombul ha escrit:
>> Hi;
>> Samba team say "It is recommended that administrators set these additional
>> options, if compatible with their network environment:"
>>
>>
>> ntlm auth = no
>>
>

> "The problem here is that Samba doesn't have any way to set
> MSV1_0_ALLOW_MSVCHAPV2 when calling the relevant RPC. This is a trivial,
> one-bit flag."
>
> I don't know if this "trivial one-bit flag" made into samba or not :-(

I’ve also been reading the same posts since Tuesday, trying to figure out what is the actual exposure when running a (patched) AD and (patched) winbind.

It seems to come down to one question.

Assuming ntlm_auth sending NTLMv1 and that someone was able to intercept traffic between winbindd and Active-Directory, how secure is the encryption?
Are we only relying on the hashing of the password?
Or is there a more secure type of encryption between winbind and Active-Directory which prevents collecting traffic and then getting the passwords out using something like a rainbow table, as the badlock website seems to imply?

Does anyone know the answer to that one?

Regards,
--
Louis Munro

[Andrew Bartlett]

On Fri, 2016-04-15 at 14:06 +0300, barış tombul wrote:
> Hi;
> Samba team say "It is recommended that administrators set these
> additional
> options, if compatible with their network environment:"
>
>
> ntlm auth = no
>
>
> I use samba with FreeRadius.
>
>
> I configure "ntlm_ auth = no" but freeradius users not connected to
> wifi.
>
>
> I use ntlm_auth in FreeRadius side..

Yes, this really, really sucks. MSCHAPv2 is NTLM, not NTLMv2 based.
This is despite NTLMv2 being around when they 'designed' this
mechanism. Sadly no attempt has been made to somehow get an MSCHAPv3
in that uses NTLMv2.

On Windows, setting a special flag allows this horrible insecure
mechanism to work on networks that otherwise only allow NTLMv2. Samba
does not honour that flag, but I guess I'm going to need to add a
'ntlm_auth = only_for_mschapv2' setting.

In short, MSCHAPv2 protects the network perimeter, yet has worse
security then you would dare to use even on a well-trusted network.

I realise it is often over TLS, but as with another of our CVEs, we
know few clients check certificates, so this isn't any help.

I've been in presentations where they said they could crack it in 24
hours and $100 of could-compute time!

I don't know of a good solution here.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

[Louis Munro]

> On Apr 15, 2016, at 15:06 , Andrew Bartlett <abar...@samba.org> wrote:
>
>
> Yes, this really, really sucks. MSCHAPv2 is NTLM, not NTLMv2 based.
> This is despite NTLMv2 being around when they 'designed' this
> mechanism. Sadly no attempt has been made to somehow get an MSCHAPv3
> in that uses NTLMv2.
>
> On Windows, setting a special flag allows this horrible insecure
> mechanism to work on networks that otherwise only allow NTLMv2. Samba
> does not honour that flag, but I guess I'm going to need to add a
> 'ntlm_auth = only_for_mschapv2' setting.
>
> In short, MSCHAPv2 protects the network perimeter, yet has worse
> security then you would dare to use even on a well-trusted network.
>
> I realise it is often over TLS, but as with another of our CVEs, we
> know few clients check certificates, so this isn't any help.
>
> I've been in presentations where they said they could crack it in 24
> hours and $100 of could-compute time!
>
> I don't know of a good solution here.
>

Hi Andrew,

Just to make sure I understand this thoroughly and that there is no ambiguity:

I knew that MSCHAPv2 is easily broken these days.
I also realize that in the case of FreeRADIUS the MSCHAPv2 authentication terminates at the the radius server, inside a TLS tunnel.

The question for me then is how secure is the ntlmv1 going from FreeRADIUS (via winbind) to the Active Directory server?
I am a bit afraid of the answer to be honest.

Should we start investing in IPsec for that part of the authentication?

Thank you for your help,
--
Louis Munro

[Andrew Bartlett]

Yes. The presentations I attended at kiwicon last year cast doubt on
the security of that from an active attacker (trivial for Wifi), but
yes, for passive monitoring it should be OK.

> The question for me then is how secure is the ntlmv1 going from
> FreeRADIUS (via winbind) to the Active Directory server?
> I am a bit afraid of the answer to be honest.

That is well protected in a modern winbindd. We require schannel to
encrypt this communication over the NETLOGON pipe.

> Should we start investing in IPsec for that part of the
> authentication?

There is no need for that specific element.

I hope this clarifies things,

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba