ntlm_auth
Dean, Barry
B.Dean at liverpool.ac.uk
Mon Mar 17 16:29:08 CET 2008
I know this is not strictly a FreeRADIUS problem, but I am betting someone on this list has been here and got the tee shirt!
I have joined my two RADIUS servers (FreeRADIUS 2.0.2, Solaris 10 x86, winbindd 3.0.25a) to our AD domain with the "net join" command. This worked (eventually!).
Now when I test "ntlm_auth" I get the following odd goings on:
Scenario A: Works
Type: ntlm_auth --username=USER --password=PASSWORD --domain=DOMAIN
Result: NT_STATUS_OK: Success (0x0)
Scenario B: FAILS
Type: ntlm_auth --username=USER --domain=DOMAIN
password: <PASSWORD>
Result: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
What's different about the password handling between A and B?
The upshot is that the command issued by FreeRADIUS:
ntlm_auth = "/usr/sfw/bin/ntlm_auth --request-nt-key --username=
%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --
nt-response=%{mschap:NT-Response:-00}"
Also fails.
So my MSCHAPv2 auth is now broken.
This worked with our Test AD environment fine. I am told the only difference between test/production is:
1) Production is in "native mode"
2) Production supports logins using both "USER\DOMAIN" and "USER at DOMAIN" forms.
If the answer to my problem is "As the Samba list", I'll pop over there!
Thanks in advance.
---------------
Barry Dean
Networks Team
More information about the Freeradius-Users
mailing list