On 26 Mar 2018, at 17:12, Alex Sharaz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm using winbindd on our Tier 1 FR servers. Guess I need to create another mschap instance specifically for machine auths and point it at another part of the AD tree.
I have never gotten machine authentication to work so have no idea what I'm talking about, but would that be necessary? Unless you've written some samba config to change the behaviour, I believe ntlm_auth looks at the entire tree - ntlm_auth/libwbclient are happy to authenticate any valid user regardless of position in the tree. The wiki mentions an interesting snippet of information - it suggests you might need to send "00" as the username: http://wiki.freeradius.org/guide/freeradius-active-directory-integration-how... I'd also look suspiciously at how the backslashes are being handled (packet capture and see what's really being put on the wire?), and the docs by nt_domain_hack in rlm_preprocess, which suggest you may need to mangle the username. Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.