Hai, Im new here, so please be nice if i missed a thing. Im having problem to get my ntlm_auth working with freeradius. My Setup: Debian Buster Samba 4.10.7 ( running winbind only ) My winbind auth works fine, server is domain joined. Squid is also configured on this server which also uses winbind and kerberos for authentication. SSH uses kerberos authentication, and im using nfsv4 kerberizes automounted homedirs for the users. This all works fine. Now im adding freeradius. So i hope with a little bit of help, someone can point to me what i did wrong. Im following the site http://deployingradius.com Steps 1-4 all done and all working. Only i use my own certificates here. This is the running samba config : [global] # Auth-Only setup with winbind. ( no Shares ) workgroup = NTDOM security = ADS realm = MY.REALM.TLD netbios name = HOSTNAME preferred master = no domain master = no host msdfs = no dns proxy = yes interfaces = eth0 lo bind interfaces only = yes log level = 1 #Add and Update TLS Key tls enabled = yes tls keyfile = /etc/ssl/private/my.key.pem tls certfile = /etc/ssl/certs/my.cert.pem tls cafile = /etc/ssl/certs/my-ca.cert.pem ## map id's outside to domain to tdb files. idmap config *: backend = tdb idmap config *: range = 2000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config NTDOM : backend = ad idmap config NTDOM : schema_mode = rfc2307 idmap config NTDOM : range = 10000-3999999 #4.6+ ( get primary group from AD ) idmap config NTDOM : unix_nss_info = yes #4.6+ ( get primary group from unix primary group ) idmap config NTDOM : unix_primary_group = yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab # renew the kerberos ticket winbind refresh tickets = yes # We strip the domain (NTDOM\username) to username winbind use default domain = yes # use: getent passwd username to check. # enabled slows down you samba. winbind enum users = no winbind enum groups = no # enable offline logins # Not on a VPN server. #winbind offline logon = no # check depth of nested groups, ! slows down you samba, if to much groups depth # Not needed on the VPN server. #winbind expand groups = 4 # Added for freeradius ntlm auth = mschapv2-and-ntlmv2-only # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping # disable usershares creating usershare path = # Disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # For ACL support on member servers with shares vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes ######## SHARE DEFINITIONS ################ I've proceded to : http://deployingradius.com/documents/configuration/active_directory.html I've edited : /etc/freeradius/3.0/users and tested it. radtest user password localhost 0 testing123 This all works with : DEFAULT Auth-Type = ntlm_auth enabled. Im now at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Now i remove DEFAULT Auth-Type = ntlm_auth from /etc/freeradius/3.0/users I edited : /etc/freeradius/3.0/mods-available/mschap As suggested on the site, but that did not work. I used: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 \ --username=%{mschap:User-Name:-None} \ --domain=%{%{mschap:NT-Domain}:-NTDOM} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}" Tried with and without the --mschapv2 and/or the --domain=%{%{mschap:NT-Domain}:-NTDOM}. That did not work when testing with : radtest -t mschap bob hello localhost 0 testing123 Or with radtest -t mschap username password localhost 0 testing123 Where this username and password is 10000000000% sure correct. ;-) I also noticed these : # winbind_username = "%{mschap:User-Name}" # winbind_domain = "%{mschap:NT-Domain}" # and i checked that lbwbclient is installed. libwbclient0:amd64 2:4.10.7-0.1~deb10 But also did not work. Note, # An alternative to using ntlm_auth is to connect to the # winbind daemon directly for authentication. This option # is likely to be faster and may be useful on busy systems, # but is less well tested. This is one i like but first i need the basic ntlm_auth working. Or kerberos auth, i have not added the radius/SPN yet to the keytab file. When i now run radtest username ... .. This is the output. What im a doing wrong, or what did i miss. radtest -t mschap username password localhost 0 testing123 Ready to process requests (0) Received Access-Request Id 126 from 127.0.0.1:60982 to 127.0.0.1:1812 length 131 (0) User-Name = "username" (0) NAS-IP-Address = 192.168.xxx.xxx (0) NAS-Port = 10 (0) Message-Authenticator = 0x18e47fd9598eba89c40254557077f7ff (0) MS-CHAP-Challenge = 0x08243010dec6eb38 (0) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000e386418de8527edff1949800324f8f34d4716529e6176b1c (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "username", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NTDOM} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (0) mschap: EXPAND --username=%{mschap:User-Name:-None} (0) mschap: --> --username=username (0) mschap: ERROR: No NT-Domain was found in the User-Name (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-NTDOM} (0) mschap: --> --domain=NTDOM (0) mschap: mschap1: 08 (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00} (0) mschap: --> --challenge=08243010dec6eb38 (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (0) mschap: --> --nt-response=e386418de8527edff1949800324f8f34d4716529e6176b1c (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> username (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 126 from 127.0.0.1:1812 to 127.0.0.1:60982 length 61 (0) MS-CHAP-Error = "\000E=691 R=1 C=0b9be1dfc950ab3e V=2" Waking up in 3.9 seconds. (0) Cleaning up request packet ID 126 with timestamp +4 Ready to process requests If anyone has some suggestions what i did wrong or what did i miss, i would be greatfull. Im lost.. Greetz, Louis