I have a general question on how ntlm_auth works with a radius server
and remote windows domain users. In the case of doing remote windows
AD authentication, the freeradius docs mention to use ntlm_auth,
something like this in radius.conf:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{Realm}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"

So is the radius server proxying everything from the mschapv2
supplicant?
In other words, does the initial request for a challenge from the
radius supplicant go all the way to Active Directory? I assume not
b/c we won't have the nt-response at this point.

Maybe it looks something like this:

client --- MSCHAPv2 auth request ---> freeradius
client <--- MSCHAPv2 callenge ---- freeradius
client --- MSCHAPv2 response ---> freeradius
freeradius ---- ntlm_auth (callenge and response) ----> Active
Directory
freeradius <---- ntlm response ---- Active Directory
client <--- MSCHAPv2 response ---- freeradius

Ok, but the problem w/ this picture is that active directory talking
NTLM will have it's own
challenge. Another problem is that mschapv2 response is not the same
as the NTLM response.
So is the handshaking between AD and winbindd handle this
challenge/response?
If so, why do we need the initial mschapv2 challenge when talking NTLM?


I realize there are a few unknowns here, but I can find any
articles/docs online that
explain the magic glue between mschapv2 and NTLM that ntlm_auth is
doing. Is looking
at the code my only option? Thanks.