UPN and mschap issues
Franks Andy (IT Technical Architecture Manager)
Andy.Franks at sath.nhs.uk
Fri Nov 27 11:25:57 CET 2015
Thanks Phil,
Suspected as much, I've checked the previous Samba mailing lists but can't see much, I'll give it a go anyway, posted here as it may have been a common issue, or someone may have jumped up and said "highly experimental feature X/ *libwbclient?* fixes that"..
Thanks again
Andy
> Anything inside the EAP tunnel doesn't like you playing with the
> username though, so we can't do UPN based MSCHAPv2 lookup - UPN format
> doesn't work, as far as I can tell, with the ntlm_auth program and I
> can't update the username. I can force the mschap auth process to use
> an alternative user name, but the hash then doesn't work, and I can't
> work out how to update the mschap:user-name. All this is
Altering the in-packet username or the username on the ntlm_auth command line is futile; as you've indicated, the client does the crypto on the basis of the UPN, and that's what you need to pass to ntlm_auth so that it can be in turn passed to the DC and mixed into the chal/resp verification/calculation correctly.
I was under the impression that ntlm_auth should work with a UPN where LHS != samaccountname, but it's really a Samba question - I'd suggest asking on the Samba list.
I don't have any easy way to test locally I'm afraid.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list