problems getting ntlm_auth working.

Alan DeKok aland at
Thu Aug 29 15:23:08 CEST 2019

On Aug 29, 2019, at 9:00 AM, L.P.H. van Belle via Freeradius-Users <freeradius-users at> wrote:
> Samba 4.10.7  ( running winbind only ) 
> My winbind auth works fine, server is domain joined. 

  That's good.

> Im following the site
> Steps 1-4 all done and all working. 
> Only i use my own certificates here. 
> This is the running samba config : 

  We don't need to see the Samba config.

> I've proceded to :
> I've edited : /etc/freeradius/3.0/users and tested it. 
> radtest user password localhost 0 testing123
> This all works with : DEFAULT     Auth-Type = ntlm_auth   enabled. 

  That's good.

> Im now at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP 
> Now i remove DEFAULT     Auth-Type = ntlm_auth  from /etc/freeradius/3.0/users
> I edited : /etc/freeradius/3.0/mods-available/mschap 
> As suggested on the site, but that did not work. 

  See the messages below.

> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NTDOM} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
> (0) mschap: EXPAND --username=%{mschap:User-Name:-None}
> (0) mschap:    --> --username=username
> (0) mschap: ERROR: No NT-Domain was found in the User-Name
> (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-NTDOM}
> (0) mschap:    --> --domain=NTDOM
> (0) mschap: mschap1: 08
> (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
> (0) mschap:    --> --challenge=08243010dec6eb38
> (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
> (0) mschap:    --> --nt-response=e386418de8527edff1949800324f8f34d4716529e6176b1c
> (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'

  That's pretty clear.  Samba is rejecting the request.  Maybe Samba is still refusing to allow ntlm_auth.  

  There isn't much you can do to FreeRADIUS to fix this issue.  Use the debug output above to run the "ntlm_auth" program from the command line yourself.  Samba shouldn't care about repeated authentication attempts which use the same MS-CHAP magic hex strings.

  Keep running ntlm_auth with the MS-CHAP strings, and poking Samba until ntlm_auth succeeds.  At that point, FreeRADIUS will work, too.

  Alan DeKok.

More information about the Freeradius-Users mailing list