Freeradius2 and Samba3x
p.mayers at imperial.ac.uk
Wed Jul 14 19:59:01 CEST 2010
On 07/14/2010 04:46 PM, Lovaas,Steven wrote:
> Rather than deal with the never-ending tail-chasing between samba and
> Microsoft, I've decided to move toward using FreeRadius as a proxy
> for the Windows radius implementation (formerly IAS, now called NPS).
> I haven't completed the change, so I'm sorry that I can't tell you
> how easy it is... but it surely can't be as frustrating as trying to
> deal with samba always being behind, right?
Samba being "behind" what, exactly?
I've never had this problem. We authenticate against windows 2008R2
domain controllers on Samba 3.0.x. I had to do nothing special. It "just
There was a specific bug in some newer Samba versions where Samba seemed
to make a change that caused NT_KEY to be wrong. So just run an older
one. This problem is well described in the list archives and eap.conf in
recent FreeRadius source distros. The latest Samba distributions should
not have the problems.
As for "NPS can't be that bad"... shudder. I disagree. If you really
feel you must do this, my advice is to only proxy the MS-CHAP (inside
the tunnel if you're doing EAP-PEAP).
More information about the Freeradius-Users