<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
I have made some further progress analysing this.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
I replaced NtlmAuthProg with a shell script that captures the input stream into a file, and then runs the original ntlm_auth with the same params.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
This permitted me to capture the input to ntlm_auth under different scenarios. As shown below with some (consistent) redaction – I have checked the username cleartext password and domain all base64-decode correctly where they appear.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Test using my eapol_test method; This fails in the now expected way:</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Request-User-Session-Key: Yes</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
NT-Domain:: SoMeChAracTeRsHeRe</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Username:: OthErCharS</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Request-LanMan-Session-Key: Yes</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
LANMAN-Challenge: e838f407e1fa6e4b</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
NT-Response: e5500f12023e2432f80f9be6650ac44bc9acc2f3f3797991</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Then I made the changes you suggested to use radpwtst, first with PAP which worked:</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Password:: B64EncPassWD==</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Username:: OthErCharS</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
NT-Domain:: SoMeChAracTeRsHeRe</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Then with radpwtst -mschapv2, it also works:</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Request-LanMan-Session-Key: Yes</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
NT-Domain:: SoMeChAracTeRsHeRe</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Request-User-Session-Key: Yes</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Username:: OthErCharS</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
NT-Response: abcb3e701bb9c999c16d5fe84d5eceb1d61f4ab4bd68e5ca</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
LANMAN-Challenge: a00f45140ebf8500</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
The only material difference I see is in the ordering, but if I re-run it seems the order is pretty random anyway.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
If I take the output of my failed eapol_test and feed into ntlm_auth:</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
# ntlm_auth --configfile=/usr/local/etc/smb4.conf --helper-protocol=ntlm-server-1 --option='log level=10' < /tmp/d2</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Got 'Request-User-Session-Key: Yes' from squid (length: 29).</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Got 'NT-Domain:: SoMeChAracTeRsHeRe' from squid (length: ..).</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Got 'Username:: OthErCharS' from squid (length: ..).</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Got 'Request-LanMan-Session-Key: Yes' from squid (length: 31).</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Got 'LANMAN-Challenge: e838f407e1fa6e4b' from squid (length: 34).</div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Got 'NT-Response: e5500f12023e2432f80f9be6650ac44bc9acc2f3f3797991' from squid (length: 61).</div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Got '.' from squid (length: 1).</div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Authenticated: No</div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Authentication-Error: When trying to update a password, this return status indicates that the value provided as the current password is not correct.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
[2024/09/12 22:16:02.668326, 2, pid=2356] NTLM CRAP authentication for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned NT_STATUS_WRONG_PASSWORD<br>
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
I can do the same with the PAP test input, feeding it to ntlm_auth. It works when correct as above, if I change a character in the password it's a similar failure:</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Got 'Password:: BrokenB64EncPassWD==' from squid (length: ..).</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Got 'Username:: OthErCharS' from squid (length: ..).</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Got 'NT-Domain:: SoMeChAracTeRsHeRe' from squid (length: ..).</div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Got '.' from squid (length: 1).</div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)</div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Authenticated: No</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
I am rather at a loss here now. It seems to boil down to something about the LANMAN-Challenge and NT-Response parts since that's all that's functionally different given these input streams to ntlm_auth (their values shown above are obfuscated), but I don't
know how to look deeper.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
For your other questions:</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
> You did mention that the OS that runs Radiator is also a new one. Could it be that the samba config is different enough to cause the change in behaviour?</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Mildly, as the samba version was also greater so some adjustments were made (upgrading samba always throws in changes). But the above tests are all against the same running samba on the new server. They key setting maybe "ntlm auth = mschapv2-and-ntlmv2-only"
which was unstated (removing it doesn't seem to make a different to the results).</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
> I'm not sure how old Radiator you were using, this in a long time.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Don't tell everyone, it was Radiator-4.17. Darn you made me admit it ...</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Jethro.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<p><span style="font-family: "Segoe UI", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">. . . . . . . . . . . . . . . . . . . . . . . . . </span></p>
<p><span style="font-family: "Segoe UI", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">J</span><span style="font-family: "segoe ui", "helvetica neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">ethro
R Binks, Network Manager, </span></p>
<p><span style="font-family: "segoe ui", "helvetica neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">Information Services Directorate, University Of Strathclyde, Glasgow, UK</span></p>
<p><span style="font-family: "Segoe UI", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);"><br>
</span></p>
<p><span style="font-family: "segoe ui", "helvetica neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.</span></p>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> radiator <radiator-bounces@lists.open.com.au> on behalf of Heikki Vatiainen via radiator <radiator@lists.open.com.au><br>
<b>Sent:</b> 06 September 2024 4:35 PM<br>
<b>To:</b> radiator@lists.open.com.au <radiator@lists.open.com.au><br>
<b>Subject:</b> Re: [RADIATOR] Problems with ntlm_auth for EAP inner auth after upgrade</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">On 27.8.2024 19.53, Jethro Binks via radiator wrote:<br>
<br>
> I re-tested adding --allow-mschapv2 to NtlmAuthProg but it made no <br>
> difference; I think I've tried that with and without before but wasn't <br>
> consistent in what I wrote in my email.<br>
<br>
Let's ignore this. That is, it's good to have enabled and it's not <br>
what's causing problems in your case.<br>
<br>
> As a cross-check, I also tested the same eapol_test config against a <br>
> Radiator server that I did not upgrade yet, and that was fine.<br>
> <br>
> The (inner) username (identity) being supplied is generally of the form <br>
> username@strath.ac.uk, however the directory is <br>
> SUBDOMAIN.STRATH.AC.UK so I effectively have:<br>
> <br>
> <AuthBy NTLM><br>
> Identifier ITSAuthEAPInnerNTLMbackend<br>
> NtlmAuthProg /usr/local/bin/ntlm_auth --allow-mschapv2 -- <br>
> configfile=/usr/local/etc/smb4.conf --helper-protocol=ntlm-server-1 -- <br>
> option="log level=0"<br>
> DefaultDomain SUBDOMAIN.STRATH.AC.UK<br>
> EAPType MSCHAP-V2<br>
> UsernameMatchesWithoutRealm<br>
> </AuthBy><br>
> <br>
> The intention being that UsernameMatchesWithoutRealm strips <br>
> @strath.ac.uk supplied in the identity, and I think DefaultDomain was <br>
> there to add the AD domain in. This seems to work for clients that <br>
> supply a realm-less inner identity (including if I change my eapol_test <br>
> config to a realmless identity="username") , but I suspect DefaultDomain <br>
> is actually redundant here, since Samba knows what the domain is anyway.<br>
<br>
That's correct. The @realm part is removed and since there's no DOMAIN\ <br>
in the username, DefaultDomain is pushed to ntlm_auth.<br>
<br>
In case you'd need a more powerful method to alter the username just <br>
before it's written to ntlm_auth, there's a hook for this in AuthBy NTLM:<br>
<br>
<a href="https://files.radiatorsoftware.com/radiator/ref/AuthByNTLM.html#NtlmRewriteHook_AuthByNTLM">https://files.radiatorsoftware.com/radiator/ref/AuthByNTLM.html#NtlmRewriteHook_AuthByNTLM</a><br>
<br>
One option could be to:<br>
- leave Domain and DefaultDomain unset<br>
- possibly enable UsernameMatchesWithoutRealm to remove @realm part<br>
- use NtlmRewriteHook to append @subdomain.strath.ac.uk to the realmless <br>
username<br>
<br>
The hook runs after UsernameMatchesWithoutRealm and after the optional <br>
UsernameFormat has been applied to the username. The next thing that <br>
happens after the hook is I/O with ntlm_auth. By default UsernameFormat <br>
does not change the username.<br>
<br>
I've also looked at the changes in AuthBy NTLM, and I don't see anything <br>
that would change the request processing flow. For example, <br>
LANMAN-Challenge is calculated from the username without DOMAIN\ part <br>
and this is done before UsernameMatchesWithoutRealm is applied. I'm not <br>
sure how old Radiator you were using, this in a long time. I also think <br>
it can't really be changed or then it would break MSCHAPv2.<br>
<br>
You did mention that the OS that runs Radiator is also a new one. Could <br>
it be that the samba config is different enough to cause the change in <br>
behaviour?<br>
<br>
> I've now added Domain SUBDOMAIN.STRATH.AC.UK explicitly too to the <br>
> AuthBy, and the samba logs seem to show the right thing being tested:<br>
> <br>
> [2024/08/27 17:38:10.340352, 2, pid=2356] NTLM CRAP authentication <br>
> for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned <br>
> NT_STATUS_WRONG_PASSWORD<br>
> <br>
> I can test the Domain param is being used by changing it, and now I can get:<br>
> <br>
> [2024/08/27 17:42:18.767691, 2, pid=2356] NTLM CRAP authentication <br>
> for user [NONSENSE.STRATH.AC.UK]\[username] returned NT_STATUS_NO_SUCH_USER<br>
> <br>
> So I am still puzzled, even when forcing use of Domain, what is <br>
> different between running ntlm_auth on the CLI, and ntlm_auth through <br>
> Radiator.<br>
<br>
If you configure a Handler for non-EAP requests and use the same AuthBy <br>
NTLM with it, you could test with radpwtst. It allows testing with, for <br>
example, PAP and MSCHAPv2. This would be closest way to compare <br>
ntlm_auth via CLI and ntlm_auth via Radiator.<br>
<br>
> Here's a samba line generated using my same test script sending to the <br>
> non-upgraded working server:<br>
> <br>
> [2024/08/27 17:46:05.053600, 5, pid=6371] NTLM CRAP authentication <br>
> for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned NT_STATUS_OK<br>
<br>
-- <br>
Heikki Vatiainen<br>
Radiator Software, makers of Radiator<br>
Visit radiatorsoftware.com for Radiator AAA server software<br>
<br>
_______________________________________________<br>
radiator mailing list<br>
radiator@lists.open.com.au<br>
<a href="https://lists.open.com.au/mailman/listinfo/radiator">https://lists.open.com.au/mailman/listinfo/radiator</a></div>
</span></font></div>
</body>
</html>