Using ntlm_auth with AD subdomains

Alan DeKok aland at
Tue Aug 5 07:19:47 CEST 2008

Dow, Corey wrote:
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

  Where is the NT-Domain supposed to come from?

> The bottom line when I look at radiusd -X is that the challenge fails because only is applied:
> WARNING: Attempt to use unknown xlat function, or non-existent attribute in string %{NT-Domain}

  So... there's no NT-Domain, and the domain is used.  This
is what you configured.

> Sorry so wordy.  Can anyone think of a way to get this working for both the parent/child domains ?

  Step 1: get it working from the command line with the --domain
argument.  The tests you showed did *not* use the --domain argument...
yet you configured this in the mschap module.

  Step 2: Get the --domain=<foo> argument to expand properly for each
domain.  This involves configuring policy checks...

  Alan DeKok.

More information about the Freeradius-Users mailing list