diff --git a/ucs-school-4.1r2/ucs-school-radius-802.1x/usr/bin/ucs-school-ntlm-auth b/ucs-school-4.1r2/ucs-school-radius-802.1x/usr/bin/ucs-school-ntlm-auth
index f92e9f7ad8..3858912b63 100644
--- a/ucs-school-4.1r2/ucs-school-radius-802.1x/usr/bin/ucs-school-ntlm-auth
+++ b/ucs-school-4.1r2/ucs-school-radius-802.1x/usr/bin/ucs-school-ntlm-auth
@@ -67,19 +67,33 @@ def loadInfo():
 				groupInfo[group] = (priority, wlanEnabled, )
 
 
 SAMBA_ACCOUNT_FLAG_DISABLED = 'D'
 SAMBA_ACCOUNT_FLAG_LOCKED = 'L'
 DISALLOWED_SAMBA_ACCOUNT_FLAGS = frozenset((SAMBA_ACCOUNT_FLAG_DISABLED, SAMBA_ACCOUNT_FLAG_LOCKED, ))
 
 
 def getNTPasswordHash(username, stationId):
-	'stationId may be None if it was not supplied to the program'
+	'''
+	stationId may be None if it was not supplied to the program
+	username may contain the direct username (e.g. 'anton123') or
+	a hostname (e.g. 'win-02$') or
+	a kerberos principal without realm (e.g. 'host/win-02.example.com'):
+	'''
+
+	if username.startswith('host/'):
+		# seems to be a kerberos principal
+		username = username.split('/', 1)[1]
+		if '.' in username:
+			username = username.split('.', 1)[0]
+		if '$' not in username:
+			username += '$'
+
 	groups = userToGroup.get(username)
 	if groups is None:
 		return None
 	groups = [groupInfo[group] for group in groups if group in groupInfo]
 	if not groups:
 		return None
 	(maxPriority, _, ) = max(groups)
 	if True not in [wlanEnabled for (priority, wlanEnabled, ) in groups if priority == maxPriority]:
 		return None