Using machine auth from a remote eduroam site

Adam Bishop Adam.Bishop at
Mon Mar 26 18:44:59 CEST 2018

On 26 Mar 2018, at 17:12, Alex Sharaz via Freeradius-Users <freeradius-users at> wrote:
> I'm using winbindd on our  Tier 1 FR servers. Guess I need to create
> another mschap instance specifically for machine auths and point it at
> another part of the AD tree.

I have never gotten machine authentication to work so have no idea what I'm talking about, but would that be necessary?

Unless you've written some samba config to change the behaviour, I believe ntlm_auth looks at the entire tree - ntlm_auth/libwbclient are happy to authenticate any valid user regardless of position in the tree.

The wiki mentions an interesting snippet of information - it suggests you might need to send "00" as the username:

I'd also look suspiciously at how the backslashes are being handled (packet capture and see what's really being put on the wire?), and the docs by nt_domain_hack in rlm_preprocess, which suggest you may need to mangle the username.

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  

More information about the Freeradius-Users mailing list