Stuck on ntlm_auth/mschap setup between FreeRADIUS & Samba DC (Alan DeKok)
Alan DeKok
aland at deployingradius.com
Tue Sep 13 18:55:05 UTC 2022
On Sep 13, 2022, at 10:57 AM, Jesper Nemholt <jfn at dataradical.com> wrote:
>> How about configuring FreeRADIUS to just use "foo" for the
>> "--username=foo" field? The mschap module has extensive documentation on
>> this subject. Perhaps try:
>>
>> ... --username=%{mschap:User-Name} ...
>
> I did try that also. Mschap will then fail with an error about the missing
> domain like this :
>
> (0) Login incorrect (mschap: No NT-Domain was found in the User-Name):
> [jfn/<via Auth-Type = mschap>] (from client localhost port 0)
That only happens when the user logs in without a domain.
So.. you can selectively choose which name is used:
--username=%{%{mschap:User-Name}:%{Stripped-User-Name}....
> Did not do anything random but followed the guide at
> http://deployingradius.com/documents/configuration/active_directory.html
> and also the Samba FreeRADIUS guide for comparison.
> The first one is the one you recommended to follow and the one I primarily
> used.
That's good. What is worrying is comments like "I tried a bunch of stuff and it didn't work". It's difficult to offer good advice for those kinds of comments.
> In any case I resolved the issue and all works now. The problem was not in
> the FreeRADIUS configuration, but on the domain controller.
Good to hear.
Alan DeKok.
More information about the Freeradius-Users
mailing list