<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 26, 2015 at 2:47 PM, Edward Holcroft <span dir="ltr"><<a href="mailto:eholcroft@mkainc.com" target="_blank">eholcroft@mkainc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-size:small">Make sure winbind is running. That held me up for the longest time.</div><div style="font-size:small"><br></div><div style="font-size:small">Have you joined the Radius box to the AD domain? </div><div style="font-size:small"><br></div><div style="font-size:small">What do you get when you do:<br></div><div style="font-size:small"><br></div><div style="font-size:small"><div>ntlm_auth --request-nt-key --domain=your.domain --username=Administrator</div><div><br></div><div>If you do not get NT_STATUS_OK: Success (0x0)</div><div><br></div><div>then you need to fix that first.</div></div></div></blockquote><div><br></div><div>Stated in my original post that is all working.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-size:small"><br></div><div style="font-size:small"><br></div><div class="gmail_extra"><div class="gmail_quote"><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Do you have this entry under the mschap section?<br>
<br>
<br>
with_ntdomain_hack = yes</blockquote><div><br></div></span><div>That got deprecated in favor of the "realm ntdomain" config as far as I can tell. So I don't have the hack enabled, but I do have:</div><div><br></div><div>```</div><div>ntlm_auth = "/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-None} --domain=%{%{mschap:NT-Domain}:-None} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"<br></div></div></div></div></blockquote><div><br></div><div><br></div></span><div><div style="font-size:small;display:inline">Is that just an example that you're quoting, or is that your actual config line? My working /etc/freeradius/modules/mschap</div> <div style="font-size:small;display:inline">contains this:</div></div><div><div style="font-size:small;display:inline"><br></div></div><div><div style="display:inline"><div>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{mschap:NT-Domain:-MKA.LOCAL} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"</div><div><br></div><div>where MKA.LOCAL is my AD domain.</div></div></div><div><div style="font-size:small;display:inline"></div></div><div><div style="font-size:small">I am using the with_ntdomain_hack=yes version of freeRadius, so cannot comment on realm ntdomain.</div></div></div></div></div></blockquote><div><br></div><div>That is my actual config line. It works just fine when a username that doesn't have the escape sequence for the tab character in it authenticates. </div></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>James Sumners<br><a href="http://james.sumners.info/" target="_blank">http://james.sumners.info/</a> (technical profile)</div><div><a href="http://jrfom.com/" target="_blank">http://jrfom.com/</a> (personal site)</div><div><a href="http://haplo.bandcamp.com/" target="_blank">http://haplo.bandcamp.com/</a> (band page)</div></div></div></div></div>
</div></div>