mschap with ntlm_auth and Active Directory

Phil Mayers p.mayers at
Fri Mar 4 00:20:45 CET 2011

On 03/03/2011 11:07 PM, robert22 wrote:
> McNutt, Justin M. wrote:
>> Also check that winbind is working like this:
>> wbinfo --all-domains
>> If you don't see a list of all valid NT-style domains, winbind is broken
>> and you'll have to fix that first.
> that command displays all the domains correctly.
> However, running the ntlm_auth command with the challange and response gives
> a "Logon failure (0xc000006d)"
> root at FREERADIUS:~# ntlm_auth --request-nt-key  --username=0024D6650564
> --domain=MY.ACTUAL.DOMAIN --challenge=9034daf90ecd43a3
> --nt-response=cd206503887edb3e33ac801d348cd30a7aefa411651be9d0
> Logon failure (0xc000006d)

Well, that's pretty clear. The response is not valid, meaning that 
either the password is wrong somewhere, or samba is corrupting things 
(which has happened in some buggy versions)

Are you sure the mschap client is using the right password, and matches 
the password in the domain?

Can you do a plaintext auth with the password you expect it to be?

ntlm_auth --username=<themac> --password=<the value>

More information about the Freeradius-Users mailing list