Authenticating machine accounts off smbpasswd using the passwd module.

Josh Hiner josh at
Mon Feb 23 19:47:15 CET 2009

I am trying to setup machine authentication via peapv0. I have 
authentication working if I use a regular username and password stored 
in /etc/samba/smbpasswd. When I check the "authenticate as computer" box 
in the windows XP supplicant and run radiusd in debug mode, windows 
sends the machine username as host\machinename.

I setup a host\ realm to strip off the host part but then I noticed that 
all machine accounts in /etc/smbpasswd are in full capitalization 
regardless of the capitalization of the machine name. For instance. The 
machine name of the computer is cc20000 but the machine account is 
stored in smbpasswd as CC20000! So I manipulated the entry to be lower 
case to see if that would authenticate the machine. Nope, Freeradius 
reads the last value in the machine account entry in the smbpasswd file 
as the account control entry (which is correct) and the mschap module 
says the account is disabled or a special account (which it is) and 
fails authentication.

My question is... can I authenticate machines using the passwd module 
and the smbpasswd file? I cannot use the ntlm_auth method. I am running 
freeradius on the same server as the domain controller and for some 
reason ntlm_auth cannot find a domain controller when run on the same 
machine. It can if ran on a separate box. Running freeradius on a 
separate box is not an option so I must use /etc/smbpasswd.

Thanks! -Josh

More information about the Freeradius-Users mailing list