New User and AD Question

McNutt, Justin M. McNuttJ at
Tue Mar 1 17:19:36 CET 2011

> Could you send us the output of radiusd -X for a computer auth?

Done.  (See previous message with attachment.)

> If it works for users it should just work for machines.

Perhaps under certain circumstances, but not for us, apparently.  Perhaps it's the significant difference between the NT-style domain name and the AD-style domain name.  Perhaps it's the multi-domain AD structure.  I don't know.  I do know that users can successfully authenticate - IF they supply a domain as part of their credentials - and computers cannot.  Yet.

> You'll need to make sure you have samba > 3.0.23 [IIRC] [which you seem to 
> have] and your ntlm_auth line has to have an appropriately formatted 
> User-Name bit e.g. %{mschap:User-Name} (the mschap module will take 
> host\\ and turn it in to computer$ automatically).

Yup.  Samba 3.5.4.  Here's the ntlm_auth line used (from mschap module):

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" 

Interestingly enough, the modules/ntlm_auth file contains something completely different, though I don't think it is in play:

exec ntlm_auth {
                wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}"


More information about the Freeradius-Users mailing list