MSCHAP using multiple domains

Klemen forneci forneci at gmail.com
Tue Jul 21 22:43:46 CEST 2020


Yes, I know that this is not radius related. I can reproduce the error in samba.
I was hoping someone had a similar issue and would give me some hints.
As for dual instances, I checked on the old server and there is a
single domain join. So there must be something on the windows side
that's giving me issues.

Best regards,
Klemen

V V tor., 21. jul. 2020 ob 18:12 je oseba Matthew Newton
<mcn at freeradius.org> napisala:
>
>
>
> On 21/07/2020 17:01, Klemen forneci wrote:
>
> > When I use mschap_thor everything works. When I try mschap_loki, I get
> > the following error:
> > (2) mschap_loki: ERROR: Program returned code (1) and output 'Logon
> > Failure: The machine you are logging onto is protected by an
> > authentication firewall. The specified account is not allowed to
> > authenticate to the machine. (0xc0000413)'
> > (2) mschap_loki: External script failed
> > (2) mschap_loki: ERROR: External script says: Logon Failure: The
> > machine you are logging onto is protected by an authentication
> > firewall. The specified account is not allowed to authenticate to the
> > machine. (0xc0000413)
> > (2) mschap_loki: ERROR: MS-CHAP2-Response is incorrect
> >
> > I've tried adding the radiusd server to the LOKI domain (net ads
> > join), but the error remains. Are there any more settings in
> > freeradius that i've missed or anywhere else. The whole project is on
> > a standstill because of this :/
>
> As you realise already I think - it's nothing to do with FreeRADIUS,
> which just runs the ntlm_auth binary and uses the result.
>
> You need to run ntlm_auth manually with the same args, reproduce it
> there, and then debug back up through Samba.
>
> Once ntlm_auth works, FreeRADIUS should work, too.
>
>  From what I recall, you would normally link the domains together and
> then just join the FreeRADIUS server to one domain, the DC it sends its
> request to should forward to the other domain based on the --domain arg.
>
> If you want to join to two distinct domains simultaneously I believe
> you'll need to have two separate isolated instances of Samba running
> (this may have changed since I looked last though).
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list