ntlm_auth authentication against multiple ADS domains

Phil Mayers p.mayers at imperial.ac.uk
Fri Feb 9 12:16:45 CET 2007


Dow, Corey wrote:
> 
> Ntlm_auth --request-nt-key --DOMAIN=XYZ --username=jdoe

This has been mentioned a few times in the archives, I believe without 
resolution. I'm not certain it works without some level of fiddling - 
it's been a while and my samba/ntdom/kerb skills are two years rusty, 
but I can envisage needing to enable permissions.

Specifically the ntlm_auth helper executes an MS-RPC against the DC. 
You'll need to both authenticate to the DC in the other domain *and* 
have permissions to execute that RPC.

You might ask on the Samba mailing list - they'll have more familiarity 
with the vagaries of the NT domain protocols and trusts. Do please let 
us know if you do and get an answer.

> 
> But I get an NT_STATUS_IO_TIMEOUT. 

Interesting. If you wireshark at the same time, what you can Samba doing?



More information about the Freeradius-Users mailing list