On Jan 22, 2025, at 11:35 AM, Gopal Raman via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I 'm running PEAP authentication with my Radius server running on Ubuntu 22.04 and the same box also runs Samba 4 and is configured as an AD Domain Controller (just for testing). I want to use NTLM to do the MS-Chapv2 challenge response. I followed the Freeradius documentation that shows how to use ntlm_auth to get the NT-KEY and it works as expected when I invoke it like so from the bash shell
That's good.
But what I really want is for the Radius server to run on a separate Linux host (say RadSrv) and talk to an external DC (like a Microsoft server).
You will need a Samba system to talk to AD. FreeRADIUS then talks to Samba. The Samba system doesn't need to be the same as the FreeRADIUS system.
I've made RadSrv a member of the AD domain. When I run the exact same ntlm_auth on the RadSrv host, it reports that the password is incorrect and does not produce the NT-KEY.
That's likely a Samba configuration issue.
My question is whether using Samba it's even possible to do what I'm attempting. In other words should a domain member (not the DC) be able to run ntlm_auth and achieve the same result ?
Yes. You need to configure Samba properly for this. Alan DeKok.