[EXT] Re: Authenticate with machine account and without ntlm_auth

[Brian Julin]

On Nov 14, 2024, at 12:25 PM, Rodrigo Antunes via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Hi, I'd like to authenticate a PC using it's machine account and the mschap module, without calling ntlm_auth, is this possible?

If you mean with libwbclient instead of ntlmauth then yes, host auths do indeed work through that route.  However they still use the NTLM method under the hood, so that method must still be allowed by the directory server.  No major RADIUS supplicants available on commodity client machines support newer methods than NTLM.
 
If you are unfamiliar with libwbclient, see the "winbind_username" and "winbind_domain" configuration options.

If you also want to use host auths from a Linux client joined to an SMB domain, then there is a lot of magic involved to fish the most recent host password out of the SMB daemon... host passwords are rotated over time.  Probably this is not what you are trying to do but just in case someone else googles this mailing list thread:

export DOMAIN=<your AD domain name>
NTLM=$(sudo tdbdump -k SECRETS/MACHINE_PASSWORD/$DOMAIN /var/lib/samba/private/secrets.tdb  | perl -e 'use Digest::MD4 qw(md4 md4_hex md4_base64); use Encode qw(decode encode); my $a = <>; $a =~ s/\n$//; $a =~ s/\\00$//; my @a; while ($a =~ s/((?:\\[89A-F].)|(?:.))//) { if (length($1) == 1) { push(@a, $1) } else { my $bs = $1; $bs =~ s/\\/0x/; push (@a, chr(hex("$bs"))) } }; my $blob = join("", at a); print md4_hex(encode("UTF16-LE",decode("UTF-8", $blob)))')
...and then put "hash:$NTLM" in the password setting for your wpa_supplicant/eapol_test config file.

Don't blame the samba folks for the above, they are just faithfully emulating MS AD, even down to the warts and blisters.