Freeradius2 and Samba3x

Phil Mayers p.mayers at imperial.ac.uk
Wed Jul 14 19:59:01 CEST 2010


On 07/14/2010 04:46 PM, Lovaas,Steven wrote:
> Rather than deal with the never-ending tail-chasing between samba and
> Microsoft, I've decided to move toward using FreeRadius as a proxy
> for the Windows radius implementation (formerly IAS, now called NPS).
> I haven't completed the change, so I'm sorry that I can't tell you
> how easy it is... but it surely can't be as frustrating as trying to
> deal with samba always being behind, right?

Samba being "behind" what, exactly?

I've never had this problem. We authenticate against windows 2008R2 
domain controllers on Samba 3.0.x. I had to do nothing special. It "just 
works".

There was a specific bug in some newer Samba versions where Samba seemed 
to make a change that caused NT_KEY to be wrong. So just run an older 
one. This problem is well described in the list archives and eap.conf in 
recent FreeRadius source distros. The latest Samba distributions should 
not have the problems.

As for "NPS can't be that bad"... shudder. I disagree. If you really 
feel you must do this, my advice is to only proxy the MS-CHAP (inside 
the tunnel if you're doing EAP-PEAP).



More information about the Freeradius-Users mailing list