Issues with ntlm_auth

Alan DeKok aland at
Wed May 20 14:45:07 GMT 2009

  I've been seeing sporadic reports where people have issues
authenticating Windows machines via ntlm_auth, over a wireless
connection.  The software pieces are:

    Windows (various versions) -> Wireless Access point  (EAP)
    AP -> RADIUS server (RADIUS)
    RADIUS -> ntlm_auth (exec'd program)
    ntlm_auth -> winbindd (etc.
    Active Directory
    ... and back

  The clients are doing PEAP, with MS-CHAPv2 inside of the EAP/TLS
tunnel  The RADIUS server calls ntlm_auth to request the NT key, which
is used to calculate the MS-CHAP response:

	ntlm_auth --request-nt-key  --username=USER --challenge=CHALLENGE

  This succeeds.   ntlm_auth succeeds, and returns an NT_KEY.  This is
then used to calculate the MS-CHAP response, which is sent back through
the protocol stack to the client PC.

  However... the client PC doesn't like the response.  It stops doing
EAP, and re-starts authentication a few seconds/minutes later.

  Downgrading Samba to an *earlier* version is the secret.  When the
users do that, it suddenly works.  This is even though ntlm_auth returns
"success" for *all* versions of Samba.

  Recent reports indicate that 3.0.34 works on Suse 11.1.  3.2.x and
3.3.x have the problems described above.  Other reports have 3.3.x not
working, and 3.2.x working.  It's all a bit of a mess.

  Does anyone have an idea what could be happening here?  It seems that
the NT key returned by ntlm_auth is wrong, even though the ntlm_auth
authentication succeeded.

  I don't have an Active Directory system myself to do any tests, so I'm
relying on user reports.  There have been enough reports that I think
the problem is real.  However, the reports have been scattered enough
that I haven't collected detailed information about the problem.

  Alan DeKok.

More information about the samba-technical mailing list