Alan DeKok wrote:
> What's so special about machine authentication?
I spent days and days trying to get this working. It won't happen without, at the very least, cooperation from the Samba group.
Here's what I've been able to figure out so far (before I gave up as other things needed my attention). Windows Domain Controllers refuse to disclose the session key for Workstation/Server accounts. For user accounts, the NT key is provided. For machine accounts, though, you can't properly build an MSCHAPv2 response since you have no way of getting the NT key. I have been unable to find ANY API to handle this. I was, in fact, very interested and curious when Funk added that feature to their RADIUS implementation (which was fairly recently IIRC).
I hacked and hacked to try to get it working under FreeRADIUS. I had to rewrite portions of ntlm_auth to get it to return a success (instead of a LOGON_OK_WORKSTATION_TRUST_ACCOUNT, I think it was), and some other things, like providing a fake NT key of all 0s. With all of this, I *was* able to get the domain to say "Yup, that was a correct password", but I never was able to get FreeRADIUS to build a proper MSCHAPv2 responce since it didn't have the final bit (NT Key) necessary to do so. It was quite frustrating.
> I'm sad to hear that.
I was sad to have to do it. :)
> Let's see what we can do to make IAS unnecessary.
I'd love to, but it will very definitely be an uphill battle.
--Mike
----------------------------------- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
