[Samba] challenge/response problem in 4.5.5
julius_ahenobarbus at yahoo.co.uk
Sun Mar 12 07:04:29 UTC 2017
all of my domain controllers have been debian based samba tarball compiles. The tarballs have, when I've had a space to upgrade them, been the latest stable version. Only my temporary DC is a stock debian samba package.
On Saturday, 11 March 2017, 23:00, ray klassen <julius_ahenobarbus at yahoo.co.uk> wrote:
freely quoting from something I posted on #samba a couple of hours ago
it appears that challenge/response is actually broken in 4.5.5 Have upgraded 4 dc's and now winbind/freeradius does not work.
focused on the radius box thinking that was the problem -- till I finally ran
wbinfo -a user%password
on all the dc's and they all behaved the same. -> plaintext succeeded challenge/response failed.
Configured up yet another dc running 4.2 and on that one challenge/response works
is there any way to temporarily force the freeradius unit to talk only to the 4.2 dc? -- It looks like you can force -S servername on net ads join. Will that stay, though?
I managed to get my freeradius up and running using net join -S. Now winbind sends its queries to the server based on the current debian 4.2 package. I'm on pins and needles though thinking that it might switch. (I also have "password server" set in smb.conf which I know I'm not supposed to do). So much is riding on that radius server being functional
1) I would have posted this on bugzilla, but it doesn't present me with an account creation form when I click on new account. but I'm ready to give results from any requested tests
2) It's entirely possible that I am framing this wrongly. that there is some other issue that is causing challenge/response to fail. I'm not seeing any reference to it in samba release change logs in the releases since.
3) It looks like someone else posted a similar problem about a 4.6.0 git compile in September but didn't answer when Roland asked for further info. I'll do my best to send as much info as necessary
4) I'm a little gun-shy now of the 'stable' designation on the samba wiki site. It's been a stressful couple of days.
5) There must be other functionality suffering from not being able to do challenge/response
More information about the samba