How to setup Freeradius in a Domain

Phil Mayers p.mayers at
Thu Jul 14 11:42:58 CEST 2011

On 14/07/11 08:45, Johan Meiring wrote:
> On 2011/07/13 06:51 PM, Phil Mayers wrote:
>> If you are using Samba as your domain controllers, then you have
>> access to
>> the SAM and can extract the LM/NT hash from whatever backend you use.
>> So you can just feed that info straight to FreeRADIUS. No need to use
>> ntlm_auth / samba membership - just dump the NT hashes somewhere
>> can get at them, or if you're using LDAP, point FreeRADIUS at that LDAP
>> server and make sure it can read the ntPassword attribute.
>> This is preferable to using ntlm_auth in fact.
> OK...
> So the ntlm_auth "hack" is just because a Microsoft Domain

Point of clarity: It's not a hack. It's the same things windows does - 
this is how IAS/NPS authenticates MS-CHAP. That's what the RPC call is 
for, and they are core, documented Microsoft authenticator APIs.

> Controller/LDAP refuses to share the ntPassword attribute with anyone
> that does not look like Microsoft?


> Hopefully Samba4 changes that as it should have a copy of the AD database!


Personally I'm doubtful it will be useful for that many people. Think 
about it: the argument goes as follows:

  1. Samba 3 & ntlm_auth are too hard to set up / maintain
  2. Therefore we'll install Samba 4, make it a domain controller so it 
can replicate the SAM, and that will be much easier

Not a convincing argument, I feel. Even if you can convince your AD 
admins to *permit* you to promote a Samba 4 to a DC role, I don't see 
how it'll be any less hassle to run than a Samba 3 in a server role.

There are a small number of sites who may be able to use this route, but 
for complete "ease of use", there's no ideal solution.

More information about the Freeradius-Users mailing list