I completed additional troubleshooting. I was not able to find any evidence
in the source code of special permissions being set on the AD side. I am
not at all familiar with what permissions are being requested or how the
system works at a low level. I also noticed that the situation I was
explaining before - where only one of the AD servers 'works' (returns Auth
OK) has returned - please see logs attached
Does anyone here know how to
1. Test this NTLM auth call from the packetfence server against
individual servers without caching using the command line (instructions
for /usr/local/pf/bin/ntlm_auth_wrapper are outdated in docs)
2. Locate the permissions necessary. I have confirmed that the computer
account has some level of access to read the OU that the user accounts
belong to
2025-12-05T17:39:33.419287-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:39:33 -0600] [8] [DEBUG] GET
/ping
2025-12-05T17:39:36.905760-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:39:36 -0600] [8] [DEBUG] POST
/ntlm/auth
2025-12-05T17:39:36.907236-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:39:36 -0600] [8] [DEBUG] lp:
netbios = PFNAC, realm = ***, server_str = PFNAC, workgroup = ad
2025-12-05T17:39:36.907236-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:39:36 -0600] [8] [DEBUG]
find_dc using dns servers: 10.36.200.4,10.36.200.5
2025-12-05T17:39:36.925429-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:39:36 -0600] [8] [DEBUG] find
dc: pdc_dns_name = ad02.***, e = 0, m =
2025-12-05T17:39:36.927049-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:39:36 -0600] [8] [DEBUG]
establish secure channel, context = ncacn_np:ad02.***[schannel,seal]
2025-12-05T17:39:36.947762-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:39:36 -0600] [8] [DEBUG]
secure connection established successfully.
2025-12-05T17:39:36.949105-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:39:36 -0600] [8] [WARNING]
auth failed: user = 'mark@ad', e = 3221225506, m = NT Error: code:
3221225506, message: (3221225506, '{Access Denied} A process has requested
access to an object but has not been granted those access rights.') using
ad02.***\PFNAC$
2025-12-05T17:39:36.949105-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:39:36 -0600] [8] [WARNING] Is
this machine account is shared by another ntlm_auth process (or another
cluster node)?
2025-12-05T17:39:36.950837-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: 100.64.0.1 - - <8> [05/Dec/2025:17:39:36
-0600] "POST /ntlm/auth HTTP/1.1" 400 158 "-" "-"
2025-12-05T17:39:43.482574-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:39:43 -0600] [8] [DEBUG] GET
/ping
2025-12-05T17:39:53.545775-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:39:53 -0600] [8] [DEBUG] GET
/ping
2025-12-05T17:40:01.211536-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:01 -0600] [8] [DEBUG] POST
/ntlm/auth
2025-12-05T17:40:01.214869-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:01 -0600] [8] [DEBUG] lp:
netbios = PFNAC, realm = ***, server_str = PFNAC, workgroup = ad
2025-12-05T17:40:01.214869-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:01 -0600] [8] [DEBUG]
find_dc using dns servers: 10.36.200.4,10.36.200.5
2025-12-05T17:40:01.233818-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:01 -0600] [8] [DEBUG] find
dc: pdc_dns_name = ad01.***, e = 0, m =
2025-12-05T17:40:01.234697-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:01 -0600] [8] [DEBUG]
establish secure channel, context = ncacn_np:ad01.***[schannel,seal]
2025-12-05T17:40:01.252627-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:01 -0600] [8] [DEBUG]
secure connection established successfully.
2025-12-05T17:40:01.255169-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:01 -0600] [8] [INFO] Auth
OK 'mark@ad', NT_KEY = 'bb****************************e1' using
ad01.***\PFNAC$
2025-12-05T17:40:01.257390-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: 100.64.0.1 - - <8> [05/Dec/2025:17:40:01
-0600] "POST /ntlm/auth HTTP/1.1" 200 40 "-" "-"
2025-12-05T17:40:03.596933-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:03 -0600] [8] [DEBUG] GET
/ping
2025-12-05T17:40:13.656824-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:13 -0600] [8] [DEBUG] GET
/ping
2025-12-05T17:40:23.719888-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:23 -0600] [8] [DEBUG] GET
/ping
2025-12-05T17:40:33.763586-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:33 -0600] [8] [DEBUG] GET
/ping
2025-12-05T17:40:34.837223-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:34 -0600] [8] [DEBUG] POST
/ntlm/auth
2025-12-05T17:40:34.841217-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:34 -0600] [8] [INFO] Auth
OK 'mark@ad', NT_KEY = 'bb****************************e1' using
ad01.***\PFNAC$
2025-12-05T17:40:34.841824-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: 100.64.0.1 - - <8> [05/Dec/2025:17:40:34
-0600] "POST /ntlm/auth HTTP/1.1" 200 40 "-" "-"
2025-12-05T17:40:42.357227-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:42 -0600] [8] [DEBUG] POST
/ntlm/auth
2025-12-05T17:40:42.360792-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:42 -0600] [8] [INFO] Auth
OK 'mark@ad', NT_KEY = 'bb****************************e1' using
ad01.***\PFNAC$
2025-12-05T17:40:42.361730-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: 100.64.0.1 - - <8> [05/Dec/2025:17:40:42
-0600] "POST /ntlm/auth HTTP/1.1" 200 40 "-" "-"
2025-12-05T17:40:43.820317-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:43 -0600] [8] [DEBUG] GET
/ping
2025-12-05T17:40:48.426060-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:48 -0600] [8] [DEBUG] POST
/ntlm/auth
2025-12-05T17:40:48.429841-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:48 -0600] [8] [INFO] Auth
OK 'mark@ad', NT_KEY = 'bb****************************e1' using
ad01.***\PFNAC$
2025-12-05T17:40:48.430706-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: 100.64.0.1 - - <8> [05/Dec/2025:17:40:48
-0600] "POST /ntlm/auth HTTP/1.1" 200 40 "-" "-"
2025-12-05T17:40:53.884831-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:53 -0600] [8] [DEBUG] GET
/ping
2025-12-05T17:40:54.568527-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:54 -0600] [8] [DEBUG] POST
/ntlm/auth
2025-12-05T17:40:54.570974-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: [2025-12-05 17:40:54 -0600] [8] [INFO] Auth
OK 'mark@ad', NT_KEY = 'bb****************************e1' using
ad01.***\PFNAC$
2025-12-05T17:40:54.571605-06:00 uspwk1-netops-pf
ntlm-auth-api-domain[128833]: 100.64.0.1 - - <8> [05/Dec/2025:17:40:54
-0600] "POST /ntlm/auth HTTP/1.1" 200 40 "-" "-"
Mark Amber
On Fri, Dec 5, 2025 at 2:31 PM Mark Amber <[email protected]> wrote:
> Do we have any documentation as far as what groups/permissions these would
> be and where they could be set?
>
> I am going to dig into the source code for the NTLM setup and see what it
> attempted to setup after I gave it my domain admin username but if there
> are any helpful hints I would appreciate it so much.
>
>
>
>
>
>
> On Fri, Dec 5, 2025 at 2:25 PM Fabrice Durand <[email protected]> wrote:
>
>> Hi Mark,
>>
>> Thanks for providing the logs. This line confirms the issue originates on
>> the Active Directory (AD) side:
>>
>> {Access Denied} A process has requested access to an object but has not
>> been granted those access rights.
>>
>> This strongly suggests a permissions issue with the computer account
>> PacketFence is using to join the domain and perform authentication. The
>> machine account does not have the necessary access rights in AD.
>>
>> You should investigate the permissions of the PacketFence machine account
>> in Active Directory to ensure it has the required access rights for NTLM
>> authentication.
>>
>> Best regards,
>>
>> Fabrice
>>
>> Le ven. 5 déc. 2025 à 15:15, Mark Amber via PacketFence-users <
>> [email protected]> a écrit :
>>
>>> Hello
>>>
>>> I am having difficulty with setting up AD authentication for Radius. I
>>> am looking for assistance. I believe my issue is on the side of the AD
>>> servers but I have very little insight into what could be going on or what
>>> help tools are available to run and test on the host. What I just did was
>>> recreate this issue:
>>>
>>> I am in a *non*-clustered (standalone packetfence) environment, v
>>> 15.0.0. Installed from the ISO recently.
>>>
>>> I am trying to base my work on these sections of the docs
>>>
>>>
>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_connecting_packetfence_to_microsoft_active_directory
>>>
>>>
>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_active_directory_ad
>>>
>>> There are issues with these docs - for instance the testing command does
>>> not exist anymore
>>>
>>> spladmin@uspwk1-netops-pf:~$ /usr/local/pf/bin/ntlm_auth_wrapper
>>> --username=mark
>>> /usr/local/pf/bin/ntlm_auth_wrapper: unrecognized option
>>> '--username=mark'
>>> Try `ntlm_auth_wrapper --help' or `ntlm_auth_wrapper --usage' for more
>>> information.
>>>
>>> 1. Remove any / old Active Directory Domains items
>>> 2. Restart ntlm-auth-api and radiusd-auth
>>> 3. Restart packetfence entirely
>>> 4. Clear browser cache (there is a bug where the client will prevent
>>> adding new AD sources with the same name I observe)
>>> 5. Add back the AD join, with a new computer account name, and new
>>> computer account password - no errors! it adds the machine account to my AD
>>> (See logs)
>>> 6. start ntlm-auth-api and restart radiusd-auth (see logs)
>>> 7. Create an AD Authentication source and enter a binding user, test it
>>> and it works.
>>> 8. Set the realms up to use the NTLM and test radius and it does not
>>> work.
>>>
>>> What I do know - there is another 'hacky' way I can get this to work by
>>> setting packetfence to strip the username and password and look up the user
>>> over LDAPS - when I turn on stripping in the realms and use TTLS-PAP on a
>>> mac and enter my sAMAccountName and password in a radius tester I get
>>> Action-Accept. I can observe it knows the proper username/password and
>>> there is no firewall/router between these hosts.
>>>
>>> But when that realm is setup per the guide using the 'domain' rather
>>> than funneling via AD as an LDAP server 'hack' which is how it should be
>>> setup - I get issues (see logs below)
>>>
>>> Also the 'Sticky DC' field does not seem to honor a hostname, or I do
>>> not know maybe I need to use DC=X,DC=Y type format there. But now even the
>>> single AD server which was working is also not working. I mention this
>>> because for a while only one of the AD servers worked and I could see
>>> accept messages from it but failures from the other 3. So I went down that
>>> rabbit hole. But now the latest attempt none of them work so it is moot.
>>>
>>> The main warnings are [sic]:
>>> Is this machine account is shared by another ntlm_auth process (or
>>> another cluster node)?
>>>
>>> and
>>>
>>> {Access Denied} A process has requested access to an object but has not
>>> been granted those access rights.'
>>>
>>>
>>> I have seen several threads about this which related to the following
>>> and gone down that rabbit hole without any success:
>>>
>>> 1. https://github.com/inverse-inc/packetfence/issues/8370 - solutions
>>> such as ones related to clustered environments, and also bad machine
>>> account password were raised
>>> 2.
>>> https://sourceforge.net/p/packetfence/mailman/packetfence-users/thread/sj2pr02mb100520bf1b55cf2f6a3a5ab31a2...@sj2pr02mb10052.namprd02.prod.outlook.com/
>>> - no response
>>> 3.
>>> https://www.reddit.com/r/PacketFence/comments/1iv3i9t/cant_get_pf_joined_to_the_domain/
>>> - NTLM v2 - tried this no help
>>> 4.
>>> https://sourceforge.net/p/packetfence/mailman/packetfence-users/thread/0d8be4356ac2efbe0656141bb26338da%40mail.gmail.com/#msg59228778
>>> seemed like user error - not too relevant maybe
>>>
>>> Here are some scrubbed logs removing my hostnames but might have been
>>> overzealous in scrubbing these please let me know if anything needs to be
>>> cleared up:
>>>
>>> 2025-12-05T10:51:58.370841-06:00 ***
>>> ntlm-auth-api-docker-wrapper[21965]: Checking sub service for domain [ad]:
>>> http://***:5000/ping, response = []. Not ready. Skipped checking for
>>> other domains.
>>> 2025-12-05T10:51:59.429186-06:00 ***
>>> ntlm-auth-api-docker-wrapper[21965]: Checking sub service for domain [ad]:
>>> http://***:5000/ping, response = []. Not ready. Skipped checking for
>>> other domains.
>>> 2025-12-05T10:52:00.424741-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:00 -0600] [7] [INFO] ntlm-auth-api@ad is starting on
>>> port 5000.
>>> 2025-12-05T10:52:00.426231-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:00 -0600] [7] [DEBUG] loading domain config from
>>> /usr/local/pf/conf/domain.conf
>>> 2025-12-05T10:52:00.426231-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:00 -0600] [7] [INFO] Load database config from
>>> /usr/local/pf/var/conf/ntlm-auth-api.d/db.ini
>>> 2025-12-05T10:52:00.426231-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:00 -0600] [7] [DEBUG] using cache: redis://***:6379
>>> 2025-12-05T10:52:00.426231-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:00 -0600] [7] [INFO] database config: ***
>>> 2025-12-05T10:52:00.426231-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:00 -0600] [7] [INFO] starting ntlm-auth-api@*** ad
>>> 2025-12-05T10:52:00.472661-06:00 ***
>>> ntlm-auth-api-docker-wrapper[21965]: Checking sub service for domain [ad]:
>>> http://***:5000/ping, response = []. Not ready. Skipped checking for
>>> other domains.
>>> 2025-12-05T10:52:01.439482-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] AD FQDN: *** resolved with IP: ***.
>>> 2025-12-05T10:52:01.439482-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] NTLM Auth API started with the
>>> following parameters:
>>> 2025-12-05T10:52:01.439482-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] ad_fqdn ***
>>> 2025-12-05T10:52:01.439482-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] ad_server ***
>>> 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] server_name ***
>>> 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] server_name (parsed) ***
>>> 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] dns_name ***
>>> 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] workgroup ad
>>> 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] machine_account_password ***
>>> 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] dns_servers ***
>>> 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] nt_key_cache_enabled disabled
>>> 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] nt_key_cache_expire 12000
>>> 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] NT Key cache enabled: False
>>> 2025-12-05T10:52:01.441692-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] loaded global variables
>>> 2025-12-05T10:52:01.441692-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] ---- Domain profile settings ----
>>> 2025-12-05T10:52:01.441692-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_server_name
>>> ***
>>> 2025-12-05T10:52:01.441692-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_ad_server
>>> ***
>>> 2025-12-05T10:52:01.442060-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_realm
>>> ***
>>> 2025-12-05T10:52:01.442060-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_workgroup
>>> ad
>>> 2025-12-05T10:52:01.442312-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_username
>>> ***
>>> 2025-12-05T10:52:01.442439-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_password
>>> ***
>>> 2025-12-05T10:52:01.442439-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG]
>>> global_vars.c_additional_machine_accounts 0
>>> 2025-12-05T10:52:01.442627-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_netbios_name
>>> ***
>>> 2025-12-05T10:52:01.443031-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_workstation
>>> ***
>>> 2025-12-05T10:52:01.443031-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_server_string
>>> ***
>>> 2025-12-05T10:52:01.443031-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_domain
>>> ad
>>> 2025-12-05T10:52:01.443501-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_dns_servers
>>> ***
>>> 2025-12-05T10:52:01.443501-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] ---- NT Key cache ----
>>> 2025-12-05T10:52:01.443501-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_nt_key_cache_enabled
>>> False
>>> 2025-12-05T10:52:01.443770-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_nt_key_cache_expire
>>> 12000
>>> 2025-12-05T10:52:01.443770-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG]
>>> global_vars.c_ad_account_lockout_threshold 0
>>> 2025-12-05T10:52:01.443996-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG]
>>> global_vars.c_ad_account_lockout_duration 30
>>> 2025-12-05T10:52:01.443996-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG]
>>> global_vars.c_ad_reset_account_lockout_counter_after 30
>>> 2025-12-05T10:52:01.444188-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG]
>>> global_vars.c_ad_old_password_allowed_period 60
>>> 2025-12-05T10:52:01.444188-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG]
>>> global_vars.c_max_allowed_password_attempts_per_device 0
>>> 2025-12-05T10:52:01.444188-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] ---- Database ----
>>> 2025-12-05T10:52:01.444188-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_db_host
>>> localhost
>>> 2025-12-05T10:52:01.444555-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_db_port 3306
>>> 2025-12-05T10:52:01.444555-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_db_user ***
>>> 2025-12-05T10:52:01.444555-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_db_pass ***
>>> 2025-12-05T10:52:01.444806-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_db ***
>>> 2025-12-05T10:52:01.444904-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_db_unix_socket
>>> /var/lib/mysql/mysql.sock
>>> 2025-12-05T10:52:01.445186-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] ---- Multi workers ----
>>> 2025-12-05T10:52:01.445575-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_cache_host ***
>>> 2025-12-05T10:52:01.445575-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_cache_port 6379
>>> 2025-12-05T10:52:01.445895-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.s_computer_account_base
>>> ***
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] Current configuration:
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> config: /usr/local/pf/bin/pyntlm_auth/gunicorn.conf.py
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> wsgi_app: entrypoint:app
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: bind:
>>> ['0.0.0.0:5000']
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> backlog: 2048
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> workers: 1
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> worker_class: sync
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> threads: 1
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> worker_connections: 1000
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> max_requests: 10000
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> max_requests_jitter: 50
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> timeout: 30
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> graceful_timeout: 10
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> keepalive: 2
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> limit_request_line: 4094
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> limit_request_fields: 100
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> limit_request_field_size: 8190
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> reload: False
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> reload_engine: auto
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> reload_extra_files: []
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: spew:
>>> False
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> check_config: False
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> print_config: False
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> preload_app: False
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> sendfile: None
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> reuse_port: False
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> chdir: /usr/local/pf/bin/pyntlm_auth
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> daemon: False
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> raw_env: []
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> pidfile: None
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> worker_tmp_dir: None
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: user:
>>> 0
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> group: 0
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> umask: 0
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> initgroups: False
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> tmp_upload_dir: None
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> secure_scheme_headers: {'X-FORWARDED-PROTOCOL': 'ssl',
>>> 'X-FORWARDED-PROTO': 'https', 'X-FORWARDED-SSL': 'on'}
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> forwarded_allow_ips: ['127.0.0.1']
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> accesslog: -
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> disable_redirect_access_to_syslog: False
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> access_log_format: %(h)s %(l)s %(u)s %(p)s %(t)s "%(r)s" %(s)s %(b)s
>>> "%(f)s" "%(a)s"
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> errorlog: -
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> loglevel: debug
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> capture_output: False
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> logger_class: <class '__config__.CustomGunicornLogger'>
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> logconfig: None
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> logconfig_dict: {}
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> syslog_addr: udp://localhost:514
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> syslog: False
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> syslog_prefix: None
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> syslog_facility: user
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> enable_stdio_inheritance: False
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> statsd_host: None
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> dogstatsd_tags:
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> statsd_prefix:
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> proc_name: None
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> default_proc_name: gunicorn
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> pythonpath: None
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> paste: None
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> on_starting: <function on_starting at 0x7f1a1afa0900>
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> on_reload: <function OnReload.on_reload at 0x7f1a20cfe160>
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> when_ready: <function WhenReady.when_ready at 0x7f1a20cfe2a0>
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> pre_fork: <function Prefork.pre_fork at 0x7f1a20cfe3e0>
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> post_fork: <function post_fork at 0x7f1a1afa0680>
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> post_worker_init: <function PostWorkerInit.post_worker_init at
>>> 0x7f1a20cfe660>
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> worker_int: <function WorkerInt.worker_int at 0x7f1a20cfe7a0>
>>> 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]:
>>> worker_abort: <function WorkerAbort.worker_abort at 0x7f1a20cfe8e0>
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> pre_exec: <function PreExec.pre_exec at 0x7f1a20cfea20>
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> pre_request: <function PreRequest.pre_request at 0x7f1a20cfeb60>
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> post_request: <function PostRequest.post_request at 0x7f1a20cfec00>
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> child_exit: <function ChildExit.child_exit at 0x7f1a20cfed40>
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> worker_exit: <function worker_exit at 0x7f1a1afa0400>
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> nworkers_changed: <function NumWorkersChanged.nworkers_changed at
>>> 0x7f1a20cfefc0>
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> on_exit: <function on_exit at 0x7f1a1afa0720>
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> proxy_protocol: False
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> proxy_allow_ips: ['127.0.0.1']
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> keyfile: None
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> certfile: None
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> ssl_version: 2
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> cert_reqs: 0
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> ca_certs: None
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> suppress_ragged_eofs: True
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> do_handshake_on_connect: False
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> ciphers: None
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> raw_paste_global_conf: []
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> strip_header_spaces: False
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> tolerate_dangerous_framing: False
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [INFO] Starting gunicorn 20.1.0
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [INFO] master process starting, machine
>>> account binding cleanup started.
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [INFO] cleaning up machine account binding.
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] cleaning up machine account bind:
>>> key = 'ntlm-auth:ad:machine-account-bind:***'
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [INFO] machine account binding clean up
>>> done.
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [INFO] default logger set to
>>> 'gunicorn.error'.
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] Arbiter booted
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [INFO] Listening at: http://0.0.0.0:5000
>>> (7)
>>> 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [INFO] Using worker: sync
>>> 2025-12-05T10:52:01.486384-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [9] [INFO] Booting worker with pid: 9
>>> 2025-12-05T10:52:01.486512-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [9] [INFO] post fork hook: worker spawned with
>>> PID of 9 by master 7
>>> 2025-12-05T10:52:01.490941-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [9] [INFO] primary worker is registered on PID:
>>> 9.
>>> 2025-12-05T10:52:01.562009-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:01 -0600] [7] [DEBUG] 1 workers
>>> 2025-12-05T10:52:03.152078-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:03 -0600] [9] [DEBUG] cleaning up machine account bind:
>>> key = 'ntlm-auth:ad:machine-account-bind:***'
>>> 2025-12-05T10:52:03.153451-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:03 -0600] [9] [INFO] successfully registered with machine
>>> account '***', ready to handle requests.
>>> 2025-12-05T10:52:03.167391-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:03 -0600] [9] [DEBUG] GET /ping
>>> 2025-12-05T10:52:03.171868-06:00 ***
>>> ntlm-auth-api-docker-wrapper[21965]: Checking sub service for domain [ad]:
>>> http://***:5000/ping, response = [pong]. Ready.
>>> 2025-12-05T10:52:13.227760-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:13 -0600] [9] [DEBUG] GET /ping
>>> 2025-12-05T10:52:23.282132-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:23 -0600] [9] [DEBUG] GET /ping
>>> 2025-12-05T10:52:33.337577-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:33 -0600] [9] [DEBUG] GET /ping
>>> 2025-12-05T10:52:43.393777-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:43 -0600] [9] [DEBUG] GET /ping
>>> 2025-12-05T10:52:53.448908-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:52:53 -0600] [9] [DEBUG] GET /ping
>>> 2025-12-05T10:53:03.504960-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:53:03 -0600] [9] [DEBUG] GET /ping
>>> 2025-12-05T10:53:13.552310-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:53:13 -0600] [9] [DEBUG] GET /ping
>>> 2025-12-05T10:53:23.608954-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:53:23 -0600] [9] [DEBUG] GET /ping
>>> 2025-12-05T10:53:33.669311-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:53:33 -0600] [9] [DEBUG] GET /ping
>>> 2025-12-05T10:53:43.411873-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:53:43 -0600] [9] [DEBUG] POST /ntlm/auth
>>> 2025-12-05T10:53:43.421022-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:53:43 -0600] [9] [DEBUG] lp: netbios = ***, realm = ***,
>>> server_str = ***, workgroup = ad
>>> 2025-12-05T10:53:43.421022-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:53:43 -0600] [9] [DEBUG] find_dc using dns servers: ***
>>> 2025-12-05T10:53:43.455332-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:53:43 -0600] [9] [DEBUG] find dc: pdc_dns_name = ***, e = 0,
>>> m =
>>> 2025-12-05T10:53:43.463161-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:53:43 -0600] [9] [DEBUG] establish secure channel, context =
>>> ncacn_np:***[schannel,seal]
>>> 2025-12-05T10:53:43.518233-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:53:43 -0600] [9] [DEBUG] secure connection established
>>> successfully.
>>> 2025-12-05T10:53:43.536075-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:53:43 -0600] [9] [WARNING] auth failed: user = '***', e =
>>> 3221225506, m = NT Error: code: 3221225506, message: (3221225506, '{Access
>>> Denied} A process has requested access to an object but has not been
>>> granted those access rights.') using ***\***
>>> 2025-12-05T10:53:43.536075-06:00 *** ntlm-auth-api-domain[22005]:
>>> [2025-12-05 10:53:43 -0600] [9] [WARNING] Is this machine account is shared
>>> by another ntlm_auth process (or another cluster node)?
>>> 2025-12-05T10:53:43.539010-06:00 *** ntlm-auth-api-domain[22005]: *** -
>>> - <9> [05/Dec/2025:10:53:43 -0600] "POST /ntlm/auth HTTP/1.1" 400 158 "-"
>>> "-"
>>>
>>>
>>> Mark Amber
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
