FW: configuring freeradius to use Ntlm_auth

Fajar A. Nugraha list at fajar.net
Mon Mar 28 08:21:09 CEST 2011

On Mon, Mar 28, 2011 at 1:01 PM, Raheel Itrat <raheel082 at hotmail.com> wrote:
> Well, even if I follow that guide it says to do a lot of things like as follows:
> "Create a file raddb/modules/ntlm_auth, and put the following text in it:
>         exec ntlm_auth {
>                 wait = yes
>                 program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
>         }"
> "You will also have to list ntlm_auth in the authenticate sections of each the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file"

AFAIK that guide was written with some assumption in mind, like:
- users already now what AD is, know how to join new machines to the
domain, and have sufficient access right to do so
- users aready know what samba is, and know how to integrate samba to
an exisisting windows domain
- users are familiar enough with freeradius to create a basic working
configuration (e.g. with users in /etc/raddb/users, authentication
using PAP) using freeradius 2.1.x.

>From a quick glance, I can't even tell what FR version you use (did
you run "freeradius -X", as suggested in the FAQ

Also, your config file has something like this

program = "/etc/freeradius/modules/ntlm_auth

Which is definitely wrong. For example, in ubuntu, the ntml_auth prog
is /usr/bin/ntlm_auth, path of winbind/winbind4 package.

So back to your problem, I suggest do some checks first and make sure
you have all three above assumptions covered. If not, learn about them

After that (and correcting some obvious problems), start with using
"freeradius -X" to get the debug log.


More information about the Freeradius-Users mailing list