Previous page Section 3.74.2. DefaultDomain Section 3.74.3. NtlmAuthProg (945 / 1691)   Table of Contents Section 3.74.4. UsernameMatchesWithoutRealm Next page

3.74.3. NtlmAuthProg Previous topic Parent topic Child topic Next topic

This optional parameter specifies the path name and arguments for the ntlm_auth program. The default value is /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1. The --helper-protocol=ntlm-server-1 is an important part of the arguments to ntlm_auth and it is required for the correct interaction between <AuthBy NTLM> and ntlm_auth. If it is not included, <AuthBy NTLM> does not work correctly.
Here is an example how to require the authenticated user to belong to a certain group: 
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-
1 --require-membership-of=MyGroupName
Here is an example how to specify that the NTLM authentication request appear to come from a workstation with a specified name. This can be used to restrict authentication for certain users by setting workstation requirements in their Windows user configuration. 
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-
1 --workstation=MyWorkstationName
Note
Use --allow-mschapv2 flag when LMCombatibilityLevel registry key in Windows configuration is set to value 5 to disable older authentication methods. In this case, MSCHAP and MSCHAP-V2, and EAP-MSCHAP-V2 authentications fail while PAP authentication works with <AuthBy NTLM> on Radiator. The availability of --allow-mschapv2 flag depends on the ntlm_auth version.
Previous page Section 3.74.2. DefaultDomain Section 3.74.3. NtlmAuthProg (945 / 1691)   Table of Contents Section 3.74.4. UsernameMatchesWithoutRealm Next page