[Samba] freeradius + NTLM + samba AD 4.5.x

Jonathan Hunter jmhunter1 at gmail.com
Mon Mar 26 20:33:54 UTC 2018

On 26 March 2018 at 21:16, Jonathan Hunter <jmhunter1 at gmail.com> wrote:

> Alternatively.. if there is a way of setting 'ntlm auth' on a per-IP
> basis, then I could only enable it for the freeradius server. I wonder if I
> can add 'include = /usr/local/samba/etc/smb.conf.%I' and then include
> 'ntlm auth = yes' in a smb.conf just for the freeradius server.. I will
> report back!

I now realise I have no idea how ntlm-auth actually connects to samba, and
whether this approach would work - i.e., what IP address does it come from,
or does it use socket connections?

In my example, the Samba server is also the freeradius server, and uses one
of the following two commands (I found ntlm_auth in two freeradius config
files, not sure which one is used any more).. but either way, I don't know
how it would interact with any included smb.conf files.

/usr/local/samba/bin/ntlm_auth --request-nt-key
/usr/local/samba/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}

Maybe I could somehow use ntlm-auth with "--option=ntlm-auth=yes"? The man
page indicates I can set smb.conf options from the commandline.. I'm just
not sure how ntlm-auth works, i.e. does it talk to a running smbd (and
hence use its smb.conf) or does it read the LDB files or similar and hence
parse smb.conf itself?

"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list