3.74.3. NtlmAuthProg Previous topic Parent topic Child topic Next topic

This optional parameter specifies the path name and arguments for the ntlm_auth program. The default value is /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1. The --helper-protocol=ntlm-server-1 is an important part of the arguments to ntlm_auth and it is required for the correct interaction between <AuthBy NTLM> and ntlm_auth. If it is not included, <AuthBy NTLM> does not work correctly.
Here is an example how to require the authenticated user to belong to a certain group:
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-
1 --require-membership-of=MyGroupName
Here is an example how to specify that the NTLM authentication request appear to come from a workstation with a specified name. This can be used to restrict authentication for certain users by setting workstation requirements in their Windows user configuration.
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-
1 --workstation=MyWorkstationName
Use --allow-mschapv2 flag when LMCombatibilityLevel registry key in Windows configuration is set to value 5 to disable older authentication methods. In this case, MSCHAP and MSCHAP-V2, and EAP-MSCHAP-V2 authentications fail while PAP authentication works with <AuthBy NTLM> on Radiator. The availability of --allow-mschapv2 flag depends on the ntlm_auth version.