Freeradius-Users Digest, Vol 134, Issue 11

Matthew Newton mcn4 at
Mon Jun 6 23:45:59 CEST 2016

On Mon, Jun 06, 2016 at 09:01:15PM +0000, Shawn Wilson wrote:
> The ntlm_auth command will not authenticate against alternate
> active directory UPN You must use the original active directory
> domain name.  
> I realize this is not a freeradius problem but a Samba problem.

Actually, sounds like a Microsoft problem to me...

> Still, I was wondering if there was an elegant way to configure
> freeradius to work around this limitation.
> For the time being, I did a brutal hack to get it to work: 

>    ntlm_auth = "/usr/local/bin/ntlm_auth_UPN %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{realm} %{%{mschap:Challenge}:-00} %%{mschap:NT-Response}:-00}"
> exec /usr/bin/ntlm_auth --request-nt-key --username=${USERNAME} --domain=${DOMAIN} --challenge=${CHALLENGE} --nt-response=${NT_RESPONSE}

This means you're execing two processes each time. ntlm_auth
doesn't scale well, and this won't help.

Just update a local attribute (e.g. Tmp-String-1) in unlang (e.g.
switch) with the required data and pass that through to ntlm_auth.

Or use recent FreeRADIUS+Samba and use winbind_username /
winbind_domain instead to skip ntlm_auth altogether.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list