samba - Nov 2005 - ntlm_auth and PEAP machine authentication

At
http://groups.google.de/group/mailing.unix.samba/browse_frm/thread/3806dd92303380d1/10f21511e488d8d0?lnk=st&q=ntlm_auth++%22machine+authentication%22&rnum=1&hl=de#10f21511e488d8d0
the question is discussed, whether ntlm_auth can be used for machine 
authentication against a Win2003/AD.
and the conclusion seems to be, that it is not really clear:

 >Machine accounts are a problem because historically, they were not
 >permitted to login with NTLMSSP.  This appears to have changed, but
 >there must be some flag that windows domain members set, to change this
 >behaviour.  I don't know what this is at this stage, so I either need
to
 >see this done to a windows DC, by a windows VPN server (with a system
 >policy of 'secure channel: sign'), or try random things till it
works...

at
http://archives.free.net.ph/message/20051019.171819.b3193dd3.en.html
Michael Griego seems to have found a solution for this, so that it 
should work with some source changes.
Having done those changes, I tried at my linux server (member of the 
domain), to authenticate a user via:
/usr/bin/ntlm_auth --request-nt-key --domain=TDE002.MYDOMAIN.NET 
--username=testrad --password=bla
gives NT_STATUS_OK: Success (0x0)
Now I want to authenticate machine accounts in the same way.

Which credentials do I have to supply to ntlm_auth to make it work?
Googling around I found something like:

/usr/bin/ntlm_auth --request-nt-key --domain=TDE002.MYDOMAIN.NET 
--username=LNXAD$ --challenge=34b2fe219534fdf8 
--nt-response=faefad573223b48c5685b2962dbe18e7e7c6b84816c77ce0
which always gave me:
Logon failure (0xc000006d)
Thanks
Norbert Wegener

On Sat, 2005-11-19 at 17:18 +0100, Norbert Wegener wrote:
> At
>
http://groups.google.de/group/mailing.unix.samba/browse_frm/thread/3806dd92303380d1/10f21511e488d8d0?lnk=st&q=ntlm_auth++%22machine+authentication%22&rnum=1&hl=de#10f21511e488d8d0
> the question is discussed, whether ntlm_auth can be used for machine 
> authentication against a Win2003/AD.
> and the conclusion seems to be, that it is not really clear:
> Which credentials do I have to supply to ntlm_auth to make it work?
> Googling around I found something like:
You need Samba 3.0.21rc1 on your Samba server.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20051120/8c01ddac/attachment.bin

Andrew Bartlett wrote:
>On Sat, 2005-11-19 at 17:18 +0100, Norbert Wegener wrote: 
>  
>
>>At
>>http://groups.google.de/group/mailing.unix.samba/browse_frm/thread/3806dd92303380d1/10f21511e488d8d0?lnk=st&q=ntlm_auth++%22machine+authentication%22&rnum=1&hl=de#10f21511e488d8d0
>>the question is discussed, whether ntlm_auth can be used for machine 
>>authentication against a Win2003/AD.
>>and the conclusion seems to be, that it is not really clear:
>>    
>>
>
>  
>
>>Which credentials do I have to supply to ntlm_auth to make it work?
>>Googling around I found something like:
>>    
>>
>
>You need Samba 3.0.21rc1 on your Samba server.
>
>Andrew Bartlett
>  
>
I have installed that version right now, but I still get Logon failure 
(0xc000006d), when trying to authenticate a machine.(user authentication 
works fine)
 What I do is:
/usr/local/samba/bin/ntlm_auth --request-nt-key 
--domain=TDE002.MYDOMAIN.NET --username=LNXAD$ --challenge=010203040
5060708 --nt-response=0102030405060708090A0B0C0D0E0F101112131415161718,
As I do not know, how to determin a valid challenge and response, I took 
those values from postings, I found.
Is this the  reason for that behaviour? If so, how do I get valid values 
for challenge and response? if not: What am I doing wrong?
Thanks
Norbert Wegener