On Aug 29, 2019, at 9:56 AM, Alan DeKok <aland@deployingradius.com> wrote:
The possible problems are:
a) the program is run under a different UID, and therefore can't access the resources it needs when run under a different UID
b) the parameters passed to the program are different in the situations when it works, and when it doesn't work
The only *other* choice is that the client is doing MS-CHAP calculations wrong. FreeRADIUS just packages that up and sends it to ntlm_auth. So if the calculations are wrong, then ntlm_auth will return "fail", even when ntlm_auth and samba are configured correctly. That can be tested by doing a test without ntlm_auth, and a locally configured password. If that works, then the client is fine. And, the problem isn't FreeRADIUS. Because FreeRADIUS can authenticate users just fine. Alan DeKok.