[Samba] Radius auth problem after DC update

Rowland Penny rpenny at samba.org
Fri Oct 19 13:26:18 UTC 2018


On Fri, 19 Oct 2018 15:00:18 +0200
Jiří František via samba <samba at lists.samba.org> wrote:

> Hello list,
> We were using two DC with 4.3.4 version of samba. Radius
> authentication wont work after upgrade one of DC to version 4.6.7.
> Authentication is working If winbind on radius server connects to DC
> with version 4.3.4. I tried install new radius server following
> tutorial on
> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
> with same result. Radius is working on DC with older version of samba.
> I think that the problem will be somewhere in winbind on radius
> server. If I want to test authentication with wbinfo I get following
> output:
> 
> wbinfo -a user%pass
> plaintext password authentication failed
> Could not authenticate user user%pass with plaintext password
> challenge/response password authentication succeeded.
> 
> My smb.conf on radius server (samba 4.7.1, radiusd 3.0.13):
> [global]
>        security = ADS
>        workgroup = DOMAIN
>        realm = DOMAIN.LAN
> 
>        log file = /var/log/samba/%m.log
>        log level = 1
>        ntlm auth = mschapv2-and-ntlmv2-only
> 
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
>        idmap config DOMAIN:backend = ad
>        idmap config DOMAIN:schema_mode = rfc2307
>        idmap config DOMAIN:range = 10000-999999
>        idmap config DOMAIN:unix_nss_info = no
>        template shell = /bin/bash
>        template homedir = /home/%U
> 
> Why I have problem with radius authentication of users with newer
> version of samba on DC?
> Any reply will be appreciate.
> Thank you

It seems you have to add the 'ntlm auth' line to the DC as well.

Rowland
  



More information about the samba mailing list