Stuck on ntlm_auth/mschap setup between FreeRADIUS & Samba DC (Alan DeKok)

Jesper Nemholt jfn at dataradical.com
Tue Sep 13 14:57:46 UTC 2022 

>
> Date: Mon, 12 Sep 2022 13:25:29 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Stuck on ntlm_auth/mschap setup between FreeRADIUS &
>         Samba DC
> Message-ID: <3B99D14F-FF06-41CD-B1A5-103249CAA6ED at deployingradius.com>
> Content-Type: text/plain;       charset=us-ascii
>
> On Sep 12, 2022, at 3:42 AM, Jesper Nemholt <jfn at dataradical.com> wrote:
> > As UniFi doesn't support AD natively, I'm using RADIUS between UniFi and
> > AD. My AD is a Samba 4 server,
>
 [clip]

> > On the radius debug log I get this :
>
>   That's the only thing that matters.  Everything else is not really
> helpful.
>
> > (0) mschap: EXPAND
> > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > (0) mschap:    --> --username=BAR\\foo
> > (0) mschap: EXPAND --domain=%{mschap:NT-Domain}
> > (0) mschap:    --> --domain=BAR
>
>   Note that this username / domain is different than what you used when
> testing ntlm_auth on the command line.
>
>   How about configuring FreeRADIUS to just use "foo" for the
> "--username=foo" field?  The mschap module has extensive documentation on
> this subject.  Perhaps try:
>
>         ... --username=%{mschap:User-Name} ...
>

I did try that also. Mschap will then fail with an error about the missing
domain like this :

(0) Login incorrect (mschap: No NT-Domain was found in the User-Name):
[jfn/<via Auth-Type = mschap>] (from client localhost port 0)

To resolve that I can manually set the domain, like I did when manually
running ntlm_auth, just to verify whether it would work if it got the
domain provided properly.


> > So my guess is that my ntlm_auth line is not correct, or I missed some
> > other parameter somewhere, but I've tried quite a few options so far, and
> > they seem to all fail.
>
>   It isn't helpful to try random things.
>

Did not do anything random but followed the guide at
http://deployingradius.com/documents/configuration/active_directory.html
and also the Samba FreeRADIUS guide for comparison.
The first one is the one you recommended to follow and the one I primarily
used.

In any case I resolved the issue and all works now. The problem was not in
the FreeRADIUS configuration, but on the domain controller.

/Jesper

More information about the Freeradius-Users mailing list