Tomáš Janeček wrote:
MYNTDOMAIN is just a fake Domain name I pasted in the log. But ntlm_auth on server uses my real domain...
I see the error announced by ntlm_auth, but don't know how to repair it. When I run ntlm_auth --request-nt-key --domain=MYREALNTDOMAIN --username=user and provide the password, everything works fine...
The Windows machine is member of domain (for few months).
Isn't there a problem with the PLAINTEXT?
No. ntlm_auth will take the MS-CHAP data, and send it to Active Directory. AD *should* use that to authenticate the user, and return ok/fail. To test MS-CHAP, I suggest using eapol_test, from wpa_supplicant. See src/tests/eap-ttls-mschap.conf for a sample configuration. 1) test ntlm_auth on the command-line with clear-text passwords 2) test EAP-TTLS + MSCHAP with eapol_test, and a user in the "users" file. 3) test EAP-TTLS + MSCHAP with eapol_test, and the username/password from (1). 4) test it with a real supplicant. Alan DeKok.