ntlm_auth with special characters

Nathan L. Cable nathan at filmwest.com
Sun Aug 6 04:41:47 CEST 2006

Hi all,

I am trying to set up FreeRadius (1.09.5-1.2, bundled with Redhat FC5) to
authenticate off of a Win2k3 server.  I have tested the setup, and
everything works fine.  However, we run quite a large domain, and I would
like to restrict access to users in appropriate groups.  I can do that if I
use the SID for the group, but not if I want to use the regular group name.

For example, the following will work when put in the MSCHAP module:

ntlm_auth = "/usr/bin/ntlm_auth --require-membership-of=S-1-2-3-4
--request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00)"

However, when I use a Windows group, such as the following...

ntlm_auth = "/usr/bin/ntlm_auth --require-membership-of='WKGRP/Wireless
Users' --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00)"

...FreeRadius spits out the following error message:

Winbindd lookupname failed to resolve 'WKGRP\Wireless into a SID!

What appears to be happening is that when Radius gets to the space in the
group name, it jumps to the next argument in the line, disregarding the "
Users'" part of the group.  I've tried several different variations on
escape characters, with no success.

Just as further info, I have also been able to successfully run the
ntlm_atuh program outside of radius with the offending command, and it works

What is the appropriate syntax to use when using long group names in the
radiusd.conf file, or will I need to stick to using Windows SID numbers?

Thanks for your time (and thought),

Nathan Cable

More information about the Freeradius-Users mailing list