Machine auth fails but user auth works

Dennis Xu dxu at uoguelph.ca
Tue Dec 8 22:42:21 CET 2015


Yes I do hardcode the domain into the /etc/raddb/mods-available/mschap file: 
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-CFS.UOGUELPH.CA} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" 

If I understand correctly from other posts, if client specify a domain name, it will use that domain name regardless of the ntlm_auth configuration? 

As far as the client side, it is configured with cfs.uoguelph.ca domain, I am sure why it would use domain cfs. Are there any other places to check for the domain being used by machine auth? 




----- Original Message -----

From: "Matthew Newton" <mcn4 at leicester.ac.uk> 
To: dxu at uoguelph.ca, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org> 
Sent: Tuesday, December 8, 2015 4:22:39 PM 
Subject: Re: Machine auth fails but user auth works 

On Tue, Dec 08, 2015 at 12:39:33PM -0500, Dennis Xu wrote: 


The EXPAND domain value from user auth is 
"domain=CFS.UOGUELPH.CA" which is correct, but it got 
"domain=cfs" in the machine auth case. I am not sure if that is 
important. 

Unless you have more than one domain, I would personally just 



hardcode the domain into the ntlm_auth command in the config. 

I do that here. It's one less thing to go wrong. 

Matthew 


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk> 

Systems Specialist, Infrastructure Services, 
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom 

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk> 


More information about the Freeradius-Users mailing list