Stuck on ntlm_auth/mschap setup between FreeRADIUS & Samba DC

Alan DeKok aland at
Mon Sep 12 17:25:29 UTC 2022

On Sep 12, 2022, at 3:42 AM, Jesper Nemholt <jfn at> wrote:
> As UniFi doesn't support AD natively, I'm using RADIUS between UniFi and
> AD. My AD is a Samba 4 server,

  That's fine.

> Samba is configured & working and the freeradius server has been joined to
> the domain.


> ntlm_auth on the command line works OK :
> root at radius:~# ntlm_auth --request-nt-key --domain=BAR --username=foo
> --password=xxx
> NT_STATUS_OK: The operation completed successfully. (0x0)

  Note the domain / username configuration...

> I've followed a couple of guidelines specific for this setup (with UniFi)
> but none of them appear to work, neither with winbind nor ntlm_auth as
> method within freeradius. has a complete guide.  it's been the definitive source for 15+ years.

  There's no need to any unifi-specific setup, other than configuring the Unifi equipment as a RADIUS client.

> I'm currently using this in my mods-available/mschap file :
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}"
> with_ntdomain_hack = yes

  The docs say "post the debug output, not the configuration".

> When I run radtest from CLI I get this :
> *root at radius*:*~*$ radtest -t mschap "BAR\foo" xxx localhost 0 testing123

  After 20 years, I still can't figure out why people insist on posting the output of "radtest", when all of the documentation, "man" pages, etc. say "don't do that."

> On the radius debug log I get this :

  That's the only thing that matters.  Everything else is not really helpful.

> (0) mschap: EXPAND
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (0) mschap:    --> --username=BAR\\foo
> (0) mschap: EXPAND --domain=%{mschap:NT-Domain}
> (0) mschap:    --> --domain=BAR

  Note that this username / domain is different than what you used when testing ntlm_auth on the command line.

  How about configuring FreeRADIUS to just use "foo" for the "--username=foo" field?  The mschap module has extensive documentation on this subject.  Perhaps try:

	... --username=%{mschap:User-Name} ...

> So my guess is that my ntlm_auth line is not correct, or I missed some
> other parameter somewhere, but I've tried quite a few options so far, and
> they seem to all fail.

  It isn't helpful to try random things.

  The best approach is to look at what works, and what doesn't work.  Then, make the "not working" thing more like the "working" thing.

  The problem with "I tried a bunch of stuff and nothing works" is that you're not understanding how the system works.  You're just trying random things, hoping that some random change will magically make it work.

  Instead, you should be working on understanding how things work.  Read the docs, try the different configurations suggested in the docs, etc.  A methodical approach will *always* yield better results than trying random things you found on google.

  Alan DeKok.

More information about the Freeradius-Users mailing list