problems getting ntlm_auth working.

L.P.H. van Belle belle at
Fri Aug 30 13:55:19 CEST 2019

Hai Alan, 

Offcourse if id read everyting you where saying. 
And it's all working now.

If you can change one thing to the site's howto then you will never get these questions again. 
.. Yes i know it is on the site already but, i would suggest you change this part. 

'This configuration needs to be set on all participating Samba member(s) and (Samba4) AD-DC server(s).' 

So what did i miss.. Yes, forgot to add to the AD-DC's smb.conf 
ntlm auth = mschapv2-and-ntlmv2-only

After setting that, then "it just works" ..  ;-) 
Pretty stupid of me.. I wont argue that.. 

Just twoo more questions. 
We can authenticate 3 ways. 
username at REALM

If running freeradius on AD-DC. 
where : winbind use default domain = yes is not working on AD-DC. 
See output of wbinfo -u  

You can login with : username or NTDOM\username. 
test : radtest -t mschap 'NTDOM\username' 'password' localhost 0 testing123
test : radtest -t mschap 'username' 'password' localhost 0 testing123

If running freeradius on AD-Member
where : winbind use default domain = yes is working. 
See output of wbinfo -u 

You can login with : username or username at REALM 
test : radtest -t mschap 'username' 'password' localhost 0 testing123
test : radtest -t mschap 'username at REALM' 'password' localhost 0 testing123

What is the best way to handle all 3 types? 
Im really new with freeradius, im trying to understand the configs, but thats not done in a sec. 

2) Do note on the REALM. 
I notice, and maybe you can verify this. 

If realm is set as : 
        default_realm = internal.domain.tld 

Trying to login with : username at INTERNAL.DOMAIN.TLD does not work. 
You must match CAPS/non-caps in REALM, dorrect? 
Or can we handle this in the config? 

But thank you for your responces so far. 



> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users 
> [ at lists.freerad] Namens Alan DeKok
> Verzonden: donderdag 29 augustus 2019 16:31
> Aan: FreeRadius users mailing list
> Onderwerp: Re: problems getting ntlm_auth working.
> On Aug 29, 2019, at 9:56 AM, Alan DeKok 
> <aland at> wrote:
> >  The possible problems are:
> > 
> > a) the program is run under a different UID, and therefore 
> can't access the resources it needs when run under a different UID
Yes, i have checked that. Ive added freerad to winbind_priv group. 

> > 
> > b) the parameters passed to the program are different in 
> the situations when it works, and when it doesn't work
>   The only *other* choice is that the client is doing MS-CHAP 
> calculations wrong.  FreeRADIUS just packages that up and 
> sends it to ntlm_auth.  So if the calculations are wrong, 
> then ntlm_auth will return "fail", even when ntlm_auth and 
> samba are configured correctly.
>   That can be tested by doing a test without ntlm_auth, and a 
> locally configured password.  If that works, then the client 
> is fine.  And, the problem isn't FreeRADIUS.  Because 
> FreeRADIUS can authenticate users just fine.

You where complety right here. 

>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 

More information about the Freeradius-Users mailing list