Authenticating machine accounts off smbpasswd using the passwd module.
josh at remc1.org
Mon Feb 23 19:47:15 CET 2009
I am trying to setup machine authentication via peapv0. I have
authentication working if I use a regular username and password stored
in /etc/samba/smbpasswd. When I check the "authenticate as computer" box
in the windows XP supplicant and run radiusd in debug mode, windows
sends the machine username as host\machinename.
I setup a host\ realm to strip off the host part but then I noticed that
all machine accounts in /etc/smbpasswd are in full capitalization
regardless of the capitalization of the machine name. For instance. The
machine name of the computer is cc20000 but the machine account is
stored in smbpasswd as CC20000! So I manipulated the entry to be lower
case to see if that would authenticate the machine. Nope, Freeradius
reads the last value in the machine account entry in the smbpasswd file
as the account control entry (which is correct) and the mschap module
says the account is disabled or a special account (which it is) and
My question is... can I authenticate machines using the passwd module
and the smbpasswd file? I cannot use the ntlm_auth method. I am running
freeradius on the same server as the domain controller and for some
reason ntlm_auth cannot find a domain controller when run on the same
machine. It can if ran on a separate box. Running freeradius on a
separate box is not an option so I must use /etc/smbpasswd.
More information about the Freeradius-Users