Configuring FreeRADIUS to authenticate against AD

Martin Ubank Martin.Ubank at
Fri Oct 21 10:10:02 CEST 2011

I've been following the FreeRadius Deployment guide

The following software is installed on a Centos 6 VM:

-     Samba 3.5.6, Freeradius 2.1.10, wpa_supplicant-0.7.3, gcc v4.4.4-13, openssl, winbind.

I successfully performed basic configuration tests with the 'eapol_test' command for:


I've created production certificates & successfully tested for the above protocols.

Installed Kerberos 1.8.2 & tested that successfully.

I've edited /etc/krb5.conf, as follows:


default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log


default_realm = CAMPUS.ADS.UWE.AC.UK

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true



  kdc =

  admin_server =

  default_domain = CAMPUS.ADS.UWE.AC.UK



I've also edited /etc/samba/smb.conf (comments & blank lines excluded):


        workgroup = CAMPUS

        server string = Samba Server Version %v

        log file = /var/log/samba/log.%m

        max log size = 50

        security = ads

        passdb backend = tdbsam

        realm =

        password server =

        load printers = yes

        cups options = raw

        winbind separator = +

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        winbind enum users = yes

        winbind enum groups = yes

        template homedir = /home/%D/%U

        template shell = /bin/rbash

        client use spnego = yes

        client ntlmv2 auth = yes

        encrypt passwords = yes

        winbind use default domain = yes

        restrict anonymous = 2

        domain master = no

        local master = no

        preferred master = no

        os level = 0


        comment = Home Directories

        browseable = no

        writable = yes


        comment = All Printers

        path = /var/spool/samba

        browseable = no

        guest ok = no

        writable = no

        printable = yes

I then run 'net join -U USERNAME' and get:

Unable to find a suitable server for domain CAMPUS

Unable to find a suitable server for domain CAMPUS

Running 'wbinfo -a USERNAME%PASSWORD' returns:

plaintext password authentication failed

Could not authenticate user USERNAME%PASSWORD with plaintext password

challenge/response password authentication failed

error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)

error messsage was: No logon servers

Could not authenticate user USERNAME with challenge/response

Can anyone tell me what I've done wrong?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list