[Samba] Radius auth problem after DC update
Rowland Penny
rpenny at samba.org
Fri Oct 19 13:26:18 UTC 2018
On Fri, 19 Oct 2018 15:00:18 +0200
Jiří František via samba <samba at lists.samba.org> wrote:
> Hello list,
> We were using two DC with 4.3.4 version of samba. Radius
> authentication wont work after upgrade one of DC to version 4.6.7.
> Authentication is working If winbind on radius server connects to DC
> with version 4.3.4. I tried install new radius server following
> tutorial on
> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
> with same result. Radius is working on DC with older version of samba.
> I think that the problem will be somewhere in winbind on radius
> server. If I want to test authentication with wbinfo I get following
> output:
>
> wbinfo -a user%pass
> plaintext password authentication failed
> Could not authenticate user user%pass with plaintext password
> challenge/response password authentication succeeded.
>
> My smb.conf on radius server (samba 4.7.1, radiusd 3.0.13):
> [global]
> security = ADS
> workgroup = DOMAIN
> realm = DOMAIN.LAN
>
> log file = /var/log/samba/%m.log
> log level = 1
> ntlm auth = mschapv2-and-ntlmv2-only
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config DOMAIN:backend = ad
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 10000-999999
> idmap config DOMAIN:unix_nss_info = no
> template shell = /bin/bash
> template homedir = /home/%U
>
> Why I have problem with radius authentication of users with newer
> version of samba on DC?
> Any reply will be appreciate.
> Thank you
It seems you have to add the 'ntlm auth' line to the DC as well.
Rowland
More information about the samba
mailing list