ntlm_auth and FR
Alan DeKok
aland at deployingradius.com
Wed Jan 22 17:37:16 UTC 2025
On Jan 22, 2025, at 11:35 AM, Gopal Raman via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I 'm running PEAP authentication with my Radius server running on Ubuntu
> 22.04 and the same box also runs Samba 4 and is configured as an AD Domain
> Controller (just for testing). I want to use NTLM to do the MS-Chapv2
> challenge response. I followed the Freeradius documentation that shows how
> to use ntlm_auth to get the NT-KEY and it works as expected when I invoke
> it like so from the bash shell
That's good.
> But what I really want is for the Radius server to run on a separate Linux
> host (say RadSrv) and talk to an external DC (like a Microsoft server).
You will need a Samba system to talk to AD. FreeRADIUS then talks to Samba.
The Samba system doesn't need to be the same as the FreeRADIUS system.
> I've made RadSrv a member of the AD domain. When I run the exact same
> ntlm_auth on the RadSrv host, it reports that the password is incorrect and
> does not produce the NT-KEY.
That's likely a Samba configuration issue.
> My question is whether using Samba it's even possible to do what I'm
> attempting. In other words should a domain member (not the DC) be able to
> run ntlm_auth and achieve the same result ?
Yes.
You need to configure Samba properly for this.
Alan DeKok.
More information about the Freeradius-Users
mailing list