mschap configuration problem

Piviul piviul at
Tue Jul 7 16:40:08 CEST 2020

Alan DeKok ha scritto il 07/07/20 alle 15:15:
> On Jul 7, 2020, at 9:05 AM, Piviul <piviul at> wrote:
>    Follow my guide.  It walks you through the process step by step.  If one step succeeds and the next one fails, you know *exactly* what went wrong, and exactly what to do in order to fix it.
>    Alan DeKok.
Hi Alan, thank you very much. I have followed your guide and PAP and EAP 
now seems to work flawlessy; furthermore even AD authentication and 
ntlm_auth are successfully configured. But when I go to the section 
"Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" fails; on the 
server I can see these logs:
> (0) Found Auth-Type = mschap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authenticate {
> (0) mschap: Client is using MS-CHAPv1 with NT-Password
> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None}  --domain=%{%{mschap:NT-Domain}:-CSATEST}--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
> (0) mschap: EXPAND --username=%{mschap:User-Name:-None}
> (0) mschap:    --> --username=user1
> (0) mschap: mschap1: 1a
> (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CSATEST}--challenge=%{mschap:Challenge:-00}
> (0) mschap:    --> --domain=CSATEST--challenge=1a162d834a0ac705
> (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
> (0) mschap:    --> --nt-response=f7539949c09457385f97329664296f699d915ccd6a0a58fa
> (0) mschap: ERROR: Program returned code (1) and output 'Password: NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)'
> (0) mschap: External script failed
> (0) mschap: ERROR: External script says: Password: NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)
> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> (0)     [mschap] = reject
> (0)   } # authenticate = reject

that seems that user1 doesn't exists but:
> # getent passwd CSATEST\\user1
> CSATEST\user1:*:11106:10513:user1:/home/user1:/bin/bash

 From the log above seems that the client send a MS-CHAPv1 request... I 
have tried to add --allow-mschapv2 to the ntlm_auth command in the 
mschap configuration file but nothing changed;

Do you think I've found a bug in samba?


More information about the Freeradius-Users mailing list