[Samba] ntlm_auth and PEAP machine authentication

Matthew Alexander mra4d at virginia.edu
Thu Oct 6 02:12:00 GMT 2005

Mike McCauley of OSC/Radiator provided me with this "quick and dirty fix":

in samba/source/rpc_client/cli_netlogon.c,
cli_netlogon_sam_network_logon() function
the param_ctrl flags passed to init_id_info2() are always set to 0 but
should be set to 0x800 (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)
to enable machine authentication.

Although kind of a shortcut, it works great if you need machine auth.  Maybe 
it can help someone else?


>On Sun, 2005-10-02 at 11:25 -0400, Matthew Alexander wrote:
>> I am trying to use ntlm_auth for machine authentication requests
>> against a Win2003/AD from my RADIUS server.  Normal, user
>> authentication works fine, but not machine authentication.
>> The username passed from RADIUS to ntlm-auth looks like host/pcname123.
>> I'm wondering if the "/" is killing it?  The ntlm_auth man page says
>> that it expects only Samba's unix charset.
>> Does anyone have any ideas about how I can accomplish this?  Thanks.

>Machine accounts are a problem because historically, they were not
>permitted to login with NTLMSSP.  This appears to have changed, but
>there must be some flag that windows domain members set, to change this
>behaviour.  I don't know what this is at this stage, so I either need to
>see this done to a windows DC, by a windows VPN server (with a system
>policy of 'secure channel: sign'), or try random things till it works...
>Andrew Bartlett
>Andrew Bartlett                                http://samba.org/~abartlet/
>Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
>Authentication Developer, Samba Team           http://samba.org
>Student Network Administrator, Hawker College  http://hawkerc.net

More information about the samba mailing list