[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PEAP-MSCHAPv2 Radius auth against bullseye TJENER

On  Mi 19 Jan 2022 15:53:09 CET, Wolfgang Schweer wrote:

[ Mike Gabriel, 2022-01-19 ]
I am currently setting up a FreeRADIUS on TJENER (bullseye) and find that
the Debian Edu documentation (esp. the Debian Edu 11 release announcement)
states that PEAP-MSCHAPv2 is supported by the FreeRADIUS setup script.

@Wolfgang: do you have a PEAP-MSCHAPv2 setup running?

atm no (missing resources). at the time I added the script, things
worked justfine, using the edu cert on my phone as well.

For testing purposes, I have set ntlm_auth = yes in smb.conf.

that isn't the way to go, use the provided config:

When using ntlm_auth to authenticate against smbd on TJENER I always get

$ ntlm_auth --username=gabmik --domain=SGM
NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)

as of bullseye, PDC with 'domain' is gone, fake domain is tjener
use 'smbclient -L tjener' (as user gabmik).

I understand that Samba user information for the standalone server is now
stored locally on TJENER (and password changes are managed via hook calls to

Any idea how to track this down further?

'man pdbedit' is your friend, eg

pdbedit -L -v -u gabmik


I solved the above by basically adding --domain=TJENER to the ntlm_auth command in


The problem was that --domain=SGM addressed a domain controller on site which I did not take into account. However, without --domain=<...> ntlm_auth would still fail.

So, maybe --domain=TJENER should be added to the freeRADIUS setup script?


c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpTgg_JrnAE8.pgp
Description: Digitale PGP-Signatur

Reply to: