3.74. <AuthBy NTLM>

This clause authenticates against a Windows Domain Controller, using the ntlm_auth program, which is part of the Samba suite. For more information, see Samba website Opens in new window. ntlm_auth runs on all Unix and Linux platforms, and therefore <AuthBy NTLM> can be used on Unix or Linux to authenticate to a Windows Domain Controller.
<AuthBy NTLM> supports PAP, MSCHAP, MSCHAPV2 and EAP-MSCHAPV2 authentication. CHAP is not supported due to limitations in the Windows support for CHAP authentication.
<AuthBy NTLM> requires that ntlm_auth and winbindd, both part of Samba, are installed and configured correctly. See goodies/smb.conf.winbindd for sample configuration and installation hints.
<AuthBy NTLM> runs the Samba utility ntlm_auth as a child process in order to authenticate requests. It keeps ntlm_auth running between requests and passes it authentication information on stdin, and gets back the authentication results from stdout.
Because AuthBy NTLM requires that ntlm_auth be properly installed and configured with winbindd, it is vitally important that you confirm that ntlm_auth is working properly before trying to use AuthBy NTLM. You can test ntlm_auth like this:
ntlm_auth --username=yourusername --domain=yourdomain --password=
yourpassword
if that does not work for a valid user name and password, there is no way that AuthBy NTLM will work. Make sure ntlm_auth works first!
CAUTION
AuthBy NTLM blocks while waiting for the result output of ntlm_auth.
Tip
If you are running Radiator on Windows, and wish to authenticate to Windows Active Directory or to a Windows Domain Controller. For more information, see Section 3.60. <AuthBy LSA>.
Tip
Depending on the ownerships and permissions of certain samba files, Radiator may need to run with root permission.

3.74.1. Domain

This optional parameter specifies which Windows domain will be used to authenticate passwords, regardless of whether the user supplies a domain when they log in. It can be the name of any valid domain in your network. Special characters are permitted. The default is to use the domain configured into winbindd.

3.74.2. DefaultDomain

This optional parameter specifies the Windows Domain to use if the user does not specify a domain in their user name. Special characters are supported. Can be an Active directory domain or a Windows NT domain controller domain name. Empty string (the default) means the domain configured into winbindd.
DefaultDomain OPEN

3.74.3. NtlmAuthProg

This optional parameter specifies the path name and arguments for the ntlm_auth program. The default value is /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1. The --helper-protocol=ntlm-server-1 is an important part of the arguments to ntlm_auth and it is required for the correct interaction between <AuthBy NTLM> and ntlm_auth. If it is not included, <AuthBy NTLM> does not work correctly.
Here is an example how to require the authenticated user to belong to a certain group:
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-
1 --require-membership-of=MyGroupName
Here is an example how to specify that the NTLM authentication request appear to come from a workstation with a specified name. This can be used to restrict authentication for certain users by setting workstation requirements in their Windows user configuration.
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-
1 --workstation=MyWorkstationName
Note
Use --allow-mschapv2 flag when LMCombatibilityLevel registry key in Windows configuration is set to value 5 to disable older authentication methods. In this case, MSCHAP and MSCHAP-V2, and EAP-MSCHAP-V2 authentications fail while PAP authentication works with <AuthBy NTLM> on Radiator. The availability of --allow-mschapv2 flag depends on the ntlm_auth version.

3.74.4. UsernameMatchesWithoutRealm

Forces AuthBy NTLM to strip any realm from the user name before authenticating to the domain controller.

3.74.5. NtlmRewriteHook

This optional parameter allows you to define a Perl function to rewrite the username that is passed to ntlm_auth. Username passed to ntlm_auth is changed to whatever is returned by this function. The username in request is not changed. This may be needed, for example, with Wi-Fi roaming where roaming username can not be directly used with Windows authentication because of local naming conflicts with roaming requirements.
The following parameters are passed to NtlmRewriteHook:
  • $_[0]: $p, the current Radius::Radius request object
  • $_[1]: $user, the current username to pass to ntlm_auth
Here are some examples:
# We use file instead of inline code
NtlmRewriteHook file:"%D/ntlm-rewrite-hook.pl"
# Use inline code to change our global roaming realm to windows domain
NtlmRewriteHook sub { my ($user) = $_[1]; \
    $user =~ s/example\.com\z/org.local/; \
    return $user; }

3.74.6. UsernameFormat

Controls how the user name that will be sent to NTLM will be derived from User-Name in the incoming request. Special characters are permitted. %0 is replaced with the user name portion of ‘domain\username’. Defaults to ‘%0’.

3.74.7. DomainFormat

Controls how the domain name that will be sent to NTLM will be derived from User-Name in the incoming request. Special characters are permitted. %0 is replaced with the domain portion of ‘domain\username’. Defaults to ‘%0’.