[Samba] ntlm_auth and PEAP machine authentication
Norbert Wegener
nw at sbs.de
Sat Nov 19 16:18:56 GMT 2005
At
http://groups.google.de/group/mailing.unix.samba/browse_frm/thread/3806dd92303380d1/10f21511e488d8d0?lnk=st&q=ntlm_auth++%22machine+authentication%22&rnum=1&hl=de#10f21511e488d8d0
the question is discussed, whether ntlm_auth can be used for machine
authentication against a Win2003/AD.
and the conclusion seems to be, that it is not really clear:
>Machine accounts are a problem because historically, they were not
>permitted to login with NTLMSSP. This appears to have changed, but
>there must be some flag that windows domain members set, to change this
>behaviour. I don't know what this is at this stage, so I either need to
>see this done to a windows DC, by a windows VPN server (with a system
>policy of 'secure channel: sign'), or try random things till it works...
at
http://archives.free.net.ph/message/20051019.171819.b3193dd3.en.html
Michael Griego seems to have found a solution for this, so that it
should work with some source changes.
Having done those changes, I tried at my linux server (member of the
domain), to authenticate a user via:
/usr/bin/ntlm_auth --request-nt-key --domain=TDE002.MYDOMAIN.NET
--username=testrad --password=bla
gives NT_STATUS_OK: Success (0x0)
Now I want to authenticate machine accounts in the same way.
Which credentials do I have to supply to ntlm_auth to make it work?
Googling around I found something like:
/usr/bin/ntlm_auth --request-nt-key --domain=TDE002.MYDOMAIN.NET
--username=LNXAD$ --challenge=34b2fe219534fdf8
--nt-response=faefad573223b48c5685b2962dbe18e7e7c6b84816c77ce0
which always gave me:
Logon failure (0xc000006d)
Thanks
Norbert Wegener
More information about the samba
mailing list