winbind / ntlm_auth funny

Alex Sharaz alex.sharaz at
Thu Jan 18 11:47:10 CET 2018

I've been using winbindd for a long time to authenticate york users .. and
it "just works"

We now have a requirement to authenticate another relam via  trust
relationship between our AD domain and theirs so
in mods-enabled
copy mschap machap {

into mschap mschap_hyms {


       winbind_username = "%{Stripped-User-Name}"
        winbind_domain = "ITS.YORK.AC.UK"


 winbind_username = "%{Stripped-User-Name}"
        winbind_domain = "HYMS.AC.UK"

plus a few other bits to get inner-tunnel to call mschap_hyms as

Then run eapol_test  to perform an auth attempt and the HYMS AD controller
bounces the aut with a no such user request


ntlm_auth --username=eduroamtest2 --domain=HYMS.AC.UK

and get the same no such user message

However, try
ntlm_auth --username=\eduroamtest2 --domain=HYMS.AC.UK

and get a success after entering a password.

Thought I'd go back to using ntlm_auth in my FR config for HYMS
So how do I prefix Stripped-user-name wtih a "\"  in inner-tunnel ?


More information about the Freeradius-Users mailing list