search for: 6s4bbs3

...nbindd_privileged/ # ntlm_auth --username=tim.odriscoll Password: : (0x0) Samba's config has this on the member (FR) server and all the DCs: ntlm auth = mschapv2-and-ntlmv2-only But I'm getting this back from FreeRADIUS: (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --allow-mschapv2 --domain=lambrook --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (7) mschap: EXPAND --username=%{mschap:User-...

...: (0x0) You already did the thing I asked below... > Samba's config has this on the member (FR) server and all the DCs: > ntlm auth = mschapv2-and-ntlmv2-only > > But I'm getting this back from FreeRADIUS: > (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk > (7) mschap: Client is using MS-CHAPv2 > (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --allow-mschapv2 --domain=lambrook --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: > (7) mschap: EXPAND --username...

...were almost identical, so I've tweaked them so that they are now exactly the same as yours except for the "--require-membership-of=example\authorization_groupname" line in ntlm_auth. Unfortunately it's still erroring out: (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=MYDOMAIN --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap: EXPAND --username=%...

...ame=tim.odriscoll > Password: > : (0x0) > > Samba's config has this on the member (FR) server and all the DCs: > ntlm auth = mschapv2-and-ntlmv2-only > > But I'm getting this back from FreeRADIUS: > (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk > (7) mschap: Client is using MS-CHAPv2 > (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --allow-mschapv2 --domain=lambrook --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: > (7) mschap: EXPAND --username...

On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: > Unfortunately it's still erroring out: > (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk > (7) mschap: Client is using MS-CHAPv2 Is this set as a UPN (with the realm appended) on the user? -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba

...n wrote: > Op 04-04-2023 om 00:32 schreef Andrew Bartlett: > > > > > On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: > > > > > Unfortunately it's still erroring out: > > > (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk > > > (7) mschap: Client is using MS-CHAPv2 > > > > Is this set as a UPN (with the realm appended) on the user? > > > In my environment (where samba + freeradius + wifi connect with > machine account works), there is no UPN set on the machine accoun...

On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: Unfortunately it's still erroring out: (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk (7) mschap: Client is using MS-CHAPv2 > Is this set as a UPN (with the realm appended) on the user? I don't see any UPN's in my AD record, only SPNs - unless I misunderstand you? I've run the 'radtest' client with '-t mschap' and without as paramete...

On Tue, 2023-04-04 at 07:55 +0000, Tim ODriscoll wrote: > On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: > > > > > > Unfortunately it's still erroring out: > > (7) mschap: Creating challenge hash with username: host/SL- > > 6S4BBS3.MYDOMAIN.co.uk > > (7) mschap: Client is using MS-CHAPv2 > > > > > Is this set as a UPN (with the realm appended) on the user? > > > > > I don't see any UPN's in my AD record, only SPNs - unless I > misunderstand you? > > > > &gt...