[Samba] ntlm_auth and PEAP machine authentication
Matthew Alexander
mra4d at virginia.edu
Thu Oct 6 02:12:00 GMT 2005
Mike McCauley of OSC/Radiator provided me with this "quick and dirty fix":
in samba/source/rpc_client/cli_netlogon.c,
cli_netlogon_sam_network_logon() function
the param_ctrl flags passed to init_id_info2() are always set to 0 but
should be set to 0x800 (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)
to enable machine authentication.
Although kind of a shortcut, it works great if you need machine auth. Maybe
it can help someone else?
Thanks,
Matt
>On Sun, 2005-10-02 at 11:25 -0400, Matthew Alexander wrote:
>> I am trying to use ntlm_auth for machine authentication requests
>> against a Win2003/AD from my RADIUS server. Normal, user
>> authentication works fine, but not machine authentication.
>> The username passed from RADIUS to ntlm-auth looks like host/pcname123.
>> I'm wondering if the "/" is killing it? The ntlm_auth man page says
>> that it expects only Samba's unix charset.
>>
>> Does anyone have any ideas about how I can accomplish this? Thanks.
>Machine accounts are a problem because historically, they were not
>permitted to login with NTLMSSP. This appears to have changed, but
>there must be some flag that windows domain members set, to change this
>behaviour. I don't know what this is at this stage, so I either need to
>see this done to a windows DC, by a windows VPN server (with a system
>policy of 'secure channel: sign'), or try random things till it works...
>....
>Andrew Bartlett
>
>--
>Andrew Bartlett http://samba.org/~abartlet/
>Samba Developer, SuSE Labs, Novell Inc. http://suse.de
>Authentication Developer, Samba Team http://samba.org
>Student Network Administrator, Hawker College http://hawkerc.net
More information about the samba
mailing list