[Samba] ntlm_auth and freeradius

Tim ODriscoll tim.odriscoll at lambrookschool.co.uk
Mon Apr 3 14:05:20 UTC 2023 

Dear All,

I'm trying to setup FreeRADIUS to authenticate a machine account to grant access to wifi for domain-connected machines. I think I've got the GPO's set up properly and the CA deployed to the clients, as I'm not getting any errors there.

The errors I'm getting are to do with ntlm_auth not authenticating my machine account. Everything looks OK (to me) on the command line:
# wbinfo -t
checking the trust secret for domain MYDOMAIN via RPC calls succeeded
# wbinfo -p
Ping to winbindd succeeded
# ls -ld /var/lib/samba/winbindd_privileged/
drwxr-x---+ 2 root radiusd 18 Apr  1 21:39 /var/lib/samba/winbindd_privileged/
# ntlm_auth --username=tim.odriscoll
Password: 
:  (0x0)

Samba's config has this on the member (FR) server and all the DCs:
        ntlm auth = mschapv2-and-ntlmv2-only

But I'm getting this back from FreeRADIUS:
(7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --allow-mschapv2 --domain=lambrook --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(7) mschap: EXPAND --username=%{mschap:User-Name}
(7) mschap:    --> --username=SL-6S4BBS3$
(7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk
(7) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(7) mschap:    --> --challenge=f4b42ffab7c68fa8
(7) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(7) mschap:    --> --nt-response=66c030f13772db256f38898578b884e013658f121d517fa3
(7) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
(7) mschap: External script failed
(7) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
(7) mschap: ERROR: MS-CHAP2-Response is incorrect

Anyone have any ideas what to try next?

Many thanks,
Tim

More information about the samba mailing list