Tomáš Janeček wrote: > MYNTDOMAIN is just a fake Domain name I pasted in the log. But ntlm_auth > on server uses my real domain... > > I see the error announced by ntlm_auth, but don't know how to repair it. > When I run ntlm_auth --request-nt-key --domain=MYREALNTDOMAIN > --username=user and provide the password, everything works fine... > > The Windows machine is member of domain (for few months). > > Isn't there a problem with the PLAINTEXT?
No. ntlm_auth will take the MS-CHAP data, and send it to Active Directory. AD *should* use that to authenticate the user, and return ok/fail. To test MS-CHAP, I suggest using eapol_test, from wpa_supplicant. See src/tests/eap-ttls-mschap.conf for a sample configuration. 1) test ntlm_auth on the command-line with clear-text passwords 2) test EAP-TTLS + MSCHAP with eapol_test, and a user in the "users" file. 3) test EAP-TTLS + MSCHAP with eapol_test, and the username/password from (1). 4) test it with a real supplicant. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html