New User and AD Question

McNutt, Justin M. McNuttJ at
Wed Mar 2 14:10:22 CET 2011

>   And what happens when you try to run ntlm_auth on the command-line?
>   i.e. take the string printed by the server, and keep running it by
> hand.  Play with the various parameters until it works.  
> Then, configure
> the server to run it with those parameters.

I dug through the debug output and presumed that you meant, "do this from the command line":

wbinfo --all-domains
	- good check that winbind isn't screwy
	- test passed

ntlm_auth --request-nt-key --username='dnps-caplap-4$' --challenge=(pasted-from-debug) --nt-response=(pasted-from-debug)

The result was:  NT_KEY: (long hex string)

If I change the username to a bogus hostname, I get "Logon failure (hex error)".

So I presume that the problem really is just the proper translation of "host/computer.domain" to username=computer$ domain=domain.

Given that I've changed so very few things from the default configs, is there someplace I should look at turning things off that I'm not using that would at least simplify the issue?  For example, I see rlm_ldap calls just before "Found Auth-Type = EAP", possibly called by the "files" section just above that.  Will commenting out "unix" and "files" and anything else in the virtual server that I'm not using confuse or simplify the issue?

I don't want to go changing things that are normally relied upon to preprocess something or at least create some "usual" expected behavior and make it all that much more complicated.


More information about the Freeradius-Users mailing list