[Samba] ntlm_auth and PEAP machine authentication

Norbert Wegener nw at sbs.de
Sat Nov 19 16:18:56 GMT 2005

the question is discussed, whether ntlm_auth can be used for machine 
authentication against a Win2003/AD.
and the conclusion seems to be, that it is not really clear:

 >Machine accounts are a problem because historically, they were not
 >permitted to login with NTLMSSP.  This appears to have changed, but
 >there must be some flag that windows domain members set, to change this
 >behaviour.  I don't know what this is at this stage, so I either need to
 >see this done to a windows DC, by a windows VPN server (with a system
 >policy of 'secure channel: sign'), or try random things till it works...

Michael Griego seems to have found a solution for this, so that it 
should work with some source changes.
Having done those changes, I tried at my linux server (member of the 
domain), to authenticate a user via:
/usr/bin/ntlm_auth --request-nt-key --domain=TDE002.MYDOMAIN.NET 
--username=testrad --password=bla
gives NT_STATUS_OK: Success (0x0)
Now I want to authenticate machine accounts in the same way.

Which credentials do I have to supply to ntlm_auth to make it work?
Googling around I found something like:

/usr/bin/ntlm_auth --request-nt-key --domain=TDE002.MYDOMAIN.NET 
--username=LNXAD$ --challenge=34b2fe219534fdf8 
which always gave me:
Logon failure (0xc000006d)
Norbert Wegener

More information about the samba mailing list