ntlm_auth challenge response Auth broken

I’m using the winbind package 4.6.7-git.51.327af8d0a116.1-SUSE-SLE_12-x86_64. I tried to set up a freeradius server with mschap authentication, using ntlm_auth. As my configuration works with ealier versions of openSUSE it should be no issue with freeradius.

I checked several authentication methods with wbinfo and ntlm_auth, each of them working fine except for challenge-response. I tested the same challenge response authentication with a different version of ntlm_auth on another system, using the same user and password and it worked flawlessly.

Searching with google brought up some quite old results concerning samba3. As the system not working is a fresh installation I would prefer not to go back to an older version of openSUSE.

I may be completely off-base and have not set up what you have,
But my past experience using Winbind has been primarily to support NetBIOS Name resolution which was a “feature” of SAMBA 3 and possibly why you’re finding only old documentation about old versions of openSUSE.

I haven’t looked around,
But I suspect that especially since you’re in a new build that unless you need to support old NT4 Domains, there should be new setup configurations supporting hostname resolution (ie What is supported in all Active Directory leaving old NT4 Domains behind). If you still have old pre-Vista (ie XP, Win98, Win95) machines, then you may still need to support NT4 Domains and NetBIOS/WINS name resolution.

Else, if you just want to continue to use Winbind because it’s familiar, my guess is that you might need to enable SAMBA 3 or NetBIOS Naming in all your config files. This is not an issue with modern and current LEAP, only the application software.

HTH,
TSU

Thinking about your situation further,
If you strongly feel that you have an authentication problem, I’d suggest you take a look at your authentication protocol settings… In general for what you’re setting up, I’d expect that NTLMv2 to be implemented, maybe in some situations kerberos might be surprisingly possible, and NTLMv1 possible but generally discouraged (It’s much easier to crack than NTLMv2).

TSU