I 'm running PEAP authentication with my Radius server running on Ubuntu 22.04 and the same box also runs Samba 4 and is configured as an AD Domain Controller (just for testing). I want to use NTLM to do the MS-Chapv2 challenge response. I followed the Freeradius documentation that shows how to use ntlm_auth to get the NT-KEY and it works as expected when I invoke it like so from the bash shell # ntlm_auth --allow-mschapv2 --request-nt-key --domain=CN.LAN --username=nileadmin --challenge=eaea1458abf1a0b7 --nt-response=8f9ab8760a15cd40f2686c5a4c7954922ed17fb9f4cad7b3 Using the the NT-KEY the Radius server is able to complete the PEAP handshake with the client But what I really want is for the Radius server to run on a separate Linux host (say RadSrv) and talk to an external DC (like a Microsoft server). I've made RadSrv a member of the AD domain. When I run the exact same ntlm_auth on the RadSrv host, it reports that the password is incorrect and does not produce the NT-KEY. My question is whether using Samba it's even possible to do what I'm attempting. In other words should a domain member (not the DC) be able to run ntlm_auth and achieve the same result ? I can share smb.conf and other details on the DC and member if needed. Thanks Gopal Raman