NTLM Auth Help

Rupert Finnigan rupert.finnigan at googlemail.com
Tue Jun 2 21:00:19 CEST 2009


2009/6/2 <A.L.M.Buxey at lboro.ac.uk>

> why?  with recent versions of FreeRADIUS this just works(tm) with no
> rewriting needed
> - just ensure that the ntlm_auth line has the correct arguments and
> you have the ntdomain stuff turned on .
> I've tried, and can't make the default work. I've got three domains with
users and machines in them. The default ntlm_auth line is fine for users,
but it doesn't work for machines. If I
leave --username=%{mschap:User-Name:-None} and
--domain=%{mschap:NT-Domain:-DEFAULTDOMAIN} (obviously, default domain is
moddified) in place then for users it's fine - the username and domain are
filled in based on the details supplied by the MS supplicant. Machines fail
though - even for machines that are in the "default domain".

If I follow the logic as supplied by Neil, and remove the "--domain" option
then this works fine for all users in all domains, and machines in same
domain that winbind was joined to, but not machines from remote domains. If
I leave the "--domain" option in, then as the "host/" username doesn't
contain the netbios version of the domain then "%{mschap:NT-Domain} " is
unknown and the default domain is filled in, and this seems to break all
machine authentication... External Program returns "Logon failure".

I can't really see anyway to resolve this, other than moddifing the
ntlm_auth line based on some unlang logic to cut out the uk, us, and au bit
from the "X.mycompany.local" supplied domain name in the "host/" username.
Is this even possible though??

Am I overlooking something here?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090602/470b2e08/attachment.html>

More information about the Freeradius-Users mailing list