Dear Nick, thank you so much for the helpful information and very much appreciated that you have confirmed AD Auth works on 15.0 at least for you. Yes we are just talking about classical AD
I can confirm that I have I have cleaned up stripping on all realms, that was just an attempt to prove that it was at least possible, but TTLS - PAP is the only way to make that work and it is not viable. So I undid all that nonsense. I can confirm that I never 'joined' the packetfence to the domain in any other way than with the packetfence UI My hostname is actually not changing tho- I was not under the impression that the computer account name needed to match the actual hostname. My hostname is too long for a windows computer account and that makes me think I should try and rectify that. and see if it helps. Especially since they allow multiple machine accounts per computer it would seem that using or changing the hostname is not relevant here but I suppose it is worth a try. raddebug -t 300 -f /usr/local/pf/var/run/radiusd.sock is not installed on my installation, Maybe this is new to the 15.0 ISO. Or maybe I have a bad corrupt install? Have you seen my latest message that I am now (again) able to authenticate but only when it randomly selects one of my 4x AD servers? It is very interesting. I will try a fresh install and if it works then migrate everything over. In fact I will try from packages. Can you comment on if you are using redhat or debian? I also ran an apt update and upgrade and noticed a few new packages updated from november to december so I did that and ran the pfcmd restart to get all my services back up and running and took note of a possible change in the ntlm-auth package but could not find corresponding commits in github. Hoping this new information about the one working AD server uncovers some additional insight but as of now my next step will be to install another packetfence VM and try again from scratch Thanks Again! Sincerely, Mark Amber On Fri, Dec 5, 2025 at 6:27 PM Madunich, Nicholas <[email protected]> wrote: > Mark > I can confirm that AD authentication is working in 15.0 but I install from > packages on existing Linux not the ISO. I am going to assume you are using > classic Active Directory, if you are using Entra/Azure AD this won't apply > to your setup. > > Make sure to set the NULL and default realm to use the domain you created > and don't use stripping on these realms. You should enable stripping on > any other realm, it only affects the username it has nothing to do with the > password. Stripping allows for different username formats like the > following: > acme\username - Realm acme > [email protected] - Realm acme.com > username - Realm NULL > In eash of these cases the stripped username will be sent as "username" > which should match the sAMAccountName. > > I don't use Sticky DC but you will want to use FQDN and with some fields > in the web GUI after typing your entry you have to hit enter to save it. > > For troubleshooting look at running RADIUS debugging while you try to > authenticate and it might provide some more information. Also check the > Auditing section in the Packetfence web gui. > > https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_radius_debugging > raddebug -t 300 -f /usr/local/pf/var/run/radiusd.sock > > Are you joining the OS to the domain before you join it in Packetfence? I > only use the Packetfence GUI for joining the domain and then use local > logins for ssh access. You mentioned trying different computer names and > passwords, are you changing the hostname in the OS as well? I always delete > out the old objects in AD before trying to rejoin the domain. I think with > a fresh install from the ISO, cleaning up AD and stripping the realms, > those NTLM errors will go away. > > Nick Madunich > > IT System Administrator > > (509)359-4964 > > [email protected] > > > > > ------------------------------ > *From:* Mark Amber via PacketFence-users < > [email protected]> > *Sent:* Friday, December 5, 2025 10:57 AM > *To:* [email protected] < > [email protected]> > *Cc:* Mark Amber <[email protected]> > *Subject:* [PacketFence-users] NTLM Auth issues - Help setting up AD > Radius 802.1x > > Hello > > I am having difficulty with setting up AD authentication for Radius. I am > looking for assistance. I believe my issue is on the side of the AD servers > but I have very little insight into what could be going on or what help > tools are available to run and test on the host. What I just did was > recreate this issue: > > I am in a *non*-clustered (standalone packetfence) environment, v 15.0.0. > Installed from the ISO recently. > > I am trying to base my work on these sections of the docs > > > https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_connecting_packetfence_to_microsoft_active_directory > > > https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_active_directory_ad > > There are issues with these docs - for instance the testing command does > not exist anymore > > spladmin@uspwk1-netops-pf:~$ /usr/local/pf/bin/ntlm_auth_wrapper > --username=mark > /usr/local/pf/bin/ntlm_auth_wrapper: unrecognized option '--username=mark' > Try `ntlm_auth_wrapper --help' or `ntlm_auth_wrapper --usage' for more > information. > > 1. Remove any / old Active Directory Domains items > 2. Restart ntlm-auth-api and radiusd-auth > 3. Restart packetfence entirely > 4. Clear browser cache (there is a bug where the client will prevent > adding new AD sources with the same name I observe) > 5. Add back the AD join, with a new computer account name, and new > computer account password - no errors! it adds the machine account to my AD > (See logs) > 6. start ntlm-auth-api and restart radiusd-auth (see logs) > 7. Create an AD Authentication source and enter a binding user, test it > and it works. > 8. Set the realms up to use the NTLM and test radius and it does not work. > > What I do know - there is another 'hacky' way I can get this to work by > setting packetfence to strip the username and password and look up the user > over LDAPS - when I turn on stripping in the realms and use TTLS-PAP on a > mac and enter my sAMAccountName and password in a radius tester I get > Action-Accept. I can observe it knows the proper username/password and > there is no firewall/router between these hosts. > > But when that realm is setup per the guide using the 'domain' rather than > funneling via AD as an LDAP server 'hack' which is how it should be setup - > I get issues (see logs below) > > Also the 'Sticky DC' field does not seem to honor a hostname, or I do not > know maybe I need to use DC=X,DC=Y type format there. But now even the > single AD server which was working is also not working. I mention this > because for a while only one of the AD servers worked and I could see > accept messages from it but failures from the other 3. So I went down that > rabbit hole. But now the latest attempt none of them work so it is moot. > > The main warnings are [sic]: > Is this machine account is shared by another ntlm_auth process (or another > cluster node)? > > and > > {Access Denied} A process has requested access to an object but has not > been granted those access rights.' > > > I have seen several threads about this which related to the following and > gone down that rabbit hole without any success: > > 1. https://github.com/inverse-inc/packetfence/issues/8370 - solutions > such as ones related to clustered environments, and also bad machine > account password were raised > 2. > https://sourceforge.net/p/packetfence/mailman/packetfence-users/thread/sj2pr02mb100520bf1b55cf2f6a3a5ab31a2...@sj2pr02mb10052.namprd02.prod.outlook.com/ > - > no response > 3. > https://www.reddit.com/r/PacketFence/comments/1iv3i9t/cant_get_pf_joined_to_the_domain/ > - > NTLM v2 - tried this no help > 4. > https://sourceforge.net/p/packetfence/mailman/packetfence-users/thread/0d8be4356ac2efbe0656141bb26338da%40mail.gmail.com/#msg59228778 > seemed > like user error - not too relevant maybe > > Here are some scrubbed logs removing my hostnames but might have been > overzealous in scrubbing these please let me know if anything needs to be > cleared up: > > 2025-12-05T10:51:58.370841-06:00 *** ntlm-auth-api-docker-wrapper[21965]: > Checking sub service for domain [ad]: http://***:5000/ping, response = > []. Not ready. Skipped checking for other domains. > 2025-12-05T10:51:59.429186-06:00 *** ntlm-auth-api-docker-wrapper[21965]: > Checking sub service for domain [ad]: http://***:5000/ping, response = > []. Not ready. Skipped checking for other domains. > 2025-12-05T10:52:00.424741-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:00 -0600] [7] [INFO] ntlm-auth-api@ad is starting on > port 5000. > 2025-12-05T10:52:00.426231-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:00 -0600] [7] [DEBUG] loading domain config from > /usr/local/pf/conf/domain.conf > 2025-12-05T10:52:00.426231-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:00 -0600] [7] [INFO] Load database config from > /usr/local/pf/var/conf/ntlm-auth-api.d/db.ini > 2025-12-05T10:52:00.426231-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:00 -0600] [7] [DEBUG] using cache: redis://***:6379 > 2025-12-05T10:52:00.426231-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:00 -0600] [7] [INFO] database config: *** > 2025-12-05T10:52:00.426231-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:00 -0600] [7] [INFO] starting ntlm-auth-api@*** ad > 2025-12-05T10:52:00.472661-06:00 *** ntlm-auth-api-docker-wrapper[21965]: > Checking sub service for domain [ad]: http://***:5000/ping, response = > []. Not ready. Skipped checking for other domains. > 2025-12-05T10:52:01.439482-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] AD FQDN: *** resolved with IP: ***. > 2025-12-05T10:52:01.439482-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] NTLM Auth API started with the > following parameters: > 2025-12-05T10:52:01.439482-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] ad_fqdn *** > 2025-12-05T10:52:01.439482-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] ad_server *** > 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] server_name *** > 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] server_name (parsed) *** > 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] dns_name *** > 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] workgroup ad > 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] machine_account_password *** > 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] dns_servers *** > 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] nt_key_cache_enabled disabled > 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] nt_key_cache_expire 12000 > 2025-12-05T10:52:01.440801-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] NT Key cache enabled: False > 2025-12-05T10:52:01.441692-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] loaded global variables > 2025-12-05T10:52:01.441692-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] ---- Domain profile settings ---- > 2025-12-05T10:52:01.441692-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_server_name > *** > 2025-12-05T10:52:01.441692-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_ad_server > *** > 2025-12-05T10:52:01.442060-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_realm > *** > 2025-12-05T10:52:01.442060-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_workgroup > ad > 2025-12-05T10:52:01.442312-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_username > *** > 2025-12-05T10:52:01.442439-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_password > *** > 2025-12-05T10:52:01.442439-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] > global_vars.c_additional_machine_accounts 0 > 2025-12-05T10:52:01.442627-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_netbios_name > *** > 2025-12-05T10:52:01.443031-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_workstation > *** > 2025-12-05T10:52:01.443031-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_server_string > *** > 2025-12-05T10:52:01.443031-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_domain > ad > 2025-12-05T10:52:01.443501-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_dns_servers > *** > 2025-12-05T10:52:01.443501-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] ---- NT Key cache ---- > 2025-12-05T10:52:01.443501-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_nt_key_cache_enabled > False > 2025-12-05T10:52:01.443770-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_nt_key_cache_expire > 12000 > 2025-12-05T10:52:01.443770-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] > global_vars.c_ad_account_lockout_threshold 0 > 2025-12-05T10:52:01.443996-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] > global_vars.c_ad_account_lockout_duration 30 > 2025-12-05T10:52:01.443996-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] > global_vars.c_ad_reset_account_lockout_counter_after 30 > 2025-12-05T10:52:01.444188-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] > global_vars.c_ad_old_password_allowed_period 60 > 2025-12-05T10:52:01.444188-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] > global_vars.c_max_allowed_password_attempts_per_device 0 > 2025-12-05T10:52:01.444188-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] ---- Database ---- > 2025-12-05T10:52:01.444188-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_db_host > localhost > 2025-12-05T10:52:01.444555-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_db_port 3306 > 2025-12-05T10:52:01.444555-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_db_user *** > 2025-12-05T10:52:01.444555-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_db_pass *** > 2025-12-05T10:52:01.444806-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_db *** > 2025-12-05T10:52:01.444904-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_db_unix_socket > /var/lib/mysql/mysql.sock > 2025-12-05T10:52:01.445186-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] ---- Multi workers ---- > 2025-12-05T10:52:01.445575-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_cache_host *** > 2025-12-05T10:52:01.445575-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.c_cache_port 6379 > 2025-12-05T10:52:01.445895-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] global_vars.s_computer_account_base > *** > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] Current configuration: > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: config: > /usr/local/pf/bin/pyntlm_auth/gunicorn.conf.py > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > wsgi_app: entrypoint:app > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: bind: [' > 0.0.0.0:5000'] > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > backlog: 2048 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > workers: 1 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > worker_class: sync > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > threads: 1 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > worker_connections: 1000 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > max_requests: 10000 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > max_requests_jitter: 50 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > timeout: 30 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > graceful_timeout: 10 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > keepalive: 2 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > limit_request_line: 4094 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > limit_request_fields: 100 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > limit_request_field_size: 8190 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: reload: > False > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > reload_engine: auto > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > reload_extra_files: [] > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: spew: > False > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > check_config: False > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > print_config: False > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > preload_app: False > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > sendfile: None > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > reuse_port: False > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: chdir: > /usr/local/pf/bin/pyntlm_auth > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: daemon: > False > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > raw_env: [] > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > pidfile: None > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > worker_tmp_dir: None > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: user: 0 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: group: 0 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: umask: 0 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > initgroups: False > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > tmp_upload_dir: None > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > secure_scheme_headers: {'X-FORWARDED-PROTOCOL': 'ssl', > 'X-FORWARDED-PROTO': 'https', 'X-FORWARDED-SSL': 'on'} > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > forwarded_allow_ips: ['127.0.0.1'] > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > accesslog: - > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > disable_redirect_access_to_syslog: False > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > access_log_format: %(h)s %(l)s %(u)s %(p)s %(t)s "%(r)s" %(s)s %(b)s > "%(f)s" "%(a)s" > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > errorlog: - > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > loglevel: debug > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > capture_output: False > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > logger_class: <class '__config__.CustomGunicornLogger'> > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > logconfig: None > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > logconfig_dict: {} > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > syslog_addr: udp://localhost:514 > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: syslog: > False > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > syslog_prefix: None > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > syslog_facility: user > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > enable_stdio_inheritance: False > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > statsd_host: None > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > dogstatsd_tags: > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > statsd_prefix: > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > proc_name: None > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > default_proc_name: gunicorn > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > pythonpath: None > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: paste: > None > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > on_starting: <function on_starting at 0x7f1a1afa0900> > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > on_reload: <function OnReload.on_reload at 0x7f1a20cfe160> > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > when_ready: <function WhenReady.when_ready at 0x7f1a20cfe2a0> > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > pre_fork: <function Prefork.pre_fork at 0x7f1a20cfe3e0> > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > post_fork: <function post_fork at 0x7f1a1afa0680> > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > post_worker_init: <function PostWorkerInit.post_worker_init at > 0x7f1a20cfe660> > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > worker_int: <function WorkerInt.worker_int at 0x7f1a20cfe7a0> > 2025-12-05T10:52:01.473043-06:00 *** ntlm-auth-api-domain[22005]: > worker_abort: <function WorkerAbort.worker_abort at 0x7f1a20cfe8e0> > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > pre_exec: <function PreExec.pre_exec at 0x7f1a20cfea20> > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > pre_request: <function PreRequest.pre_request at 0x7f1a20cfeb60> > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > post_request: <function PostRequest.post_request at 0x7f1a20cfec00> > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > child_exit: <function ChildExit.child_exit at 0x7f1a20cfed40> > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > worker_exit: <function worker_exit at 0x7f1a1afa0400> > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > nworkers_changed: <function NumWorkersChanged.nworkers_changed at > 0x7f1a20cfefc0> > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > on_exit: <function on_exit at 0x7f1a1afa0720> > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > proxy_protocol: False > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > proxy_allow_ips: ['127.0.0.1'] > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > keyfile: None > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > certfile: None > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > ssl_version: 2 > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > cert_reqs: 0 > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > ca_certs: None > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > suppress_ragged_eofs: True > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > do_handshake_on_connect: False > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > ciphers: None > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > raw_paste_global_conf: [] > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > strip_header_spaces: False > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > tolerate_dangerous_framing: False > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [INFO] Starting gunicorn 20.1.0 > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [INFO] master process starting, machine > account binding cleanup started. > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [INFO] cleaning up machine account binding. > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] cleaning up machine account bind: > key = 'ntlm-auth:ad:machine-account-bind:***' > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [INFO] machine account binding clean up > done. > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [INFO] default logger set to > 'gunicorn.error'. > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] Arbiter booted > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [INFO] Listening at: http://0.0.0.0:5000 > (7) > 2025-12-05T10:52:01.476243-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [INFO] Using worker: sync > 2025-12-05T10:52:01.486384-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [9] [INFO] Booting worker with pid: 9 > 2025-12-05T10:52:01.486512-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [9] [INFO] post fork hook: worker spawned with > PID of 9 by master 7 > 2025-12-05T10:52:01.490941-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [9] [INFO] primary worker is registered on PID: > 9. > 2025-12-05T10:52:01.562009-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:01 -0600] [7] [DEBUG] 1 workers > 2025-12-05T10:52:03.152078-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:03 -0600] [9] [DEBUG] cleaning up machine account bind: > key = 'ntlm-auth:ad:machine-account-bind:***' > 2025-12-05T10:52:03.153451-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:03 -0600] [9] [INFO] successfully registered with machine > account '***', ready to handle requests. > 2025-12-05T10:52:03.167391-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:03 -0600] [9] [DEBUG] GET /ping > 2025-12-05T10:52:03.171868-06:00 *** ntlm-auth-api-docker-wrapper[21965]: > Checking sub service for domain [ad]: http://***:5000/ping, response = > [pong]. Ready. > 2025-12-05T10:52:13.227760-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:13 -0600] [9] [DEBUG] GET /ping > 2025-12-05T10:52:23.282132-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:23 -0600] [9] [DEBUG] GET /ping > 2025-12-05T10:52:33.337577-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:33 -0600] [9] [DEBUG] GET /ping > 2025-12-05T10:52:43.393777-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:43 -0600] [9] [DEBUG] GET /ping > 2025-12-05T10:52:53.448908-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:52:53 -0600] [9] [DEBUG] GET /ping > 2025-12-05T10:53:03.504960-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:53:03 -0600] [9] [DEBUG] GET /ping > 2025-12-05T10:53:13.552310-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:53:13 -0600] [9] [DEBUG] GET /ping > 2025-12-05T10:53:23.608954-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:53:23 -0600] [9] [DEBUG] GET /ping > 2025-12-05T10:53:33.669311-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:53:33 -0600] [9] [DEBUG] GET /ping > 2025-12-05T10:53:43.411873-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:53:43 -0600] [9] [DEBUG] POST /ntlm/auth > 2025-12-05T10:53:43.421022-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:53:43 -0600] [9] [DEBUG] lp: netbios = ***, realm = ***, > server_str = ***, workgroup = ad > 2025-12-05T10:53:43.421022-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:53:43 -0600] [9] [DEBUG] find_dc using dns servers: *** > 2025-12-05T10:53:43.455332-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:53:43 -0600] [9] [DEBUG] find dc: pdc_dns_name = ***, e = 0, > m = > 2025-12-05T10:53:43.463161-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:53:43 -0600] [9] [DEBUG] establish secure channel, context = > ncacn_np:***[schannel,seal] > 2025-12-05T10:53:43.518233-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:53:43 -0600] [9] [DEBUG] secure connection established > successfully. > 2025-12-05T10:53:43.536075-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:53:43 -0600] [9] [WARNING] auth failed: user = '***', e = > 3221225506, m = NT Error: code: 3221225506, message: (3221225506, '{Access > Denied} A process has requested access to an object but has not been > granted those access rights.') using ***\*** > 2025-12-05T10:53:43.536075-06:00 *** ntlm-auth-api-domain[22005]: > [2025-12-05 10:53:43 -0600] [9] [WARNING] Is this machine account is shared > by another ntlm_auth process (or another cluster node)? > 2025-12-05T10:53:43.539010-06:00 *** ntlm-auth-api-domain[22005]: *** - - > <9> [05/Dec/2025:10:53:43 -0600] "POST /ntlm/auth HTTP/1.1" 400 158 "-" "-" > > > Mark Amber >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
