[Samba] Problem with keytab: "Client not found in Kerberos database"

Brian Candler b.candler at pobox.com
Wed Dec 21 15:26:41 UTC 2016

On 20/12/2016 14:10, Rowland Penny wrote:
>> I can't use rlm_krb5, because I plan to use PEAP+MSCHAP for wifi
>> authentication. The krb5 module requires a cleartext password, but
>> MSCHAP does not pass a cleartext password. (It is possible to use
>> krb5 authentication with TTLS+PAP or TTLS+GTC, both of which send a
>> cleartext password)
> You might want to read this:
> https://www.samba.org/samba/history/samba-4.5.0.html

I'm not sure which section you mean is relevant. Maybe this:

"When doing a PKINIT based Kerberos logon the KDC adds the
required PAC_CREDENTIAL_INFO element to the authorization data.
That means the NTHASH is shared between the PKINIT based client and
the domain controller, which allows the client to do NTLM based
authentication on behalf of the user."

That sounds cool, but I can already use ntlm_auth to validate the MSCHAP 
passwords. Modifying FreeRADIUS to be able to do this via Kerberos 
doesn't gain me much.

The other thing which I'd already noticed was the server-side storage of 
GPG-encrypted plaintext passwords. It doesn't make a difference to 
MSCHAP, but it'll be useful if I end up using an auth method which 
requires the server to have the cleartext password (e.g. EAP-PWD)



More information about the samba mailing list