[Samba] [EXTERNAL] Fwd: ntlm_auth and freeradius

Andrew Bartlett abartlet at samba.org
Tue Apr 4 07:45:13 UTC 2023


On Tue, 2023-04-04 at 09:37 +0200, Kees van Vloten wrote:
> Op 04-04-2023 om 00:32 schreef Andrew Bartlett:
>  
> > 
> > On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote:
> >  
> > > Unfortunately it's still erroring out:
> > > (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk
> > > (7) mschap: Client is using MS-CHAPv2
> > 
> > Is this set as a UPN (with the realm appended) on the user?
> > 
> In my environment (where samba + freeradius + wifi connect with
> machine account works), there is no UPN set on the machine account,
> just a set of SPNs:
> servicePrincipalName: HOST/myhost.example.com
> servicePrincipalName: RestrictedKrbHost/myhost.example.com
> servicePrincipalName: HOST/MYHOST
> servicePrincipalName: RestrictedKrbHost/BARTOK
> servicePrincipalName: WSMAN/myhost.example.com
> servicePrincipalName: WSMAN/myhost
> servicePrincipalName: TERMSRV/myhost.example.com
> servicePrincipalName: TERMSRV/MYHOST
> One of which does match with the username in Tim's output, btw. I
> have seen exactly the same username format while I was setting this
> up around a month ago.
> - Kees.
So NTLM (and Kerberos client) authentication is not possible with an
SPN, but many folks work around it by selecting one of these and having
that in the UPN, eg
userPrincipalName: HOST/myhost.example.com at example.com

This is about the (unusual) username pattern Tim is using, you may be
logging in with myhost$, which would work normally.

Andrew Bartlett
> 

-- 
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba



More information about the samba mailing list