Strange behaviour after AD password reset

[Richard Letuma]

Hi,

Could you please advise me what could be the issue here. These are the
steps that I followed:

1) I have set "winbind offline logon = no" in /etc/samba/smb.conf under
global

2) I have set /etc/raddb/mods-enabled/eap to "enable = no" in cache
section. It is default behaviour. I just set it to be 100% sure that it is
set.

3) Then I restarted smb and nmb with systemctl status smb nmb

4) Also I have restarted the radiusd

5) I then reset a password from AD and use radtest and wbinfo to test

The problem is that after password reset OLD and NEW password works with
radtest (also with eapol_test).

After AD password reset if I type "radtest -t mschap myuserid PasswordOLD
<IP Address> 0 testing123" and I type "radtest radtest -t mschap myuserid
PasswordNEW <IP Address> 0 testing123" they both work.

After approximately 5 minutes, the "radtest -t mschap myuserid PasswordOLD
<IP Address> 0 testing123" will stop working and authentication fail. This
is what I expect.
The new password will remain working even.

*Why is the old password works for approximately 5 minutes with radtest? I
have also checked with eapol_test and the old password still works for 5
minutes before failing ( i.e Access-Reject ).*

*The command "wbinfo -a <DOMAN USER and password>" immediately reflects
that the password was changed. With "wbinfo -a", I do not have a problem
where an old password work for 5 minutes.*

In /etc/raddb/mods-enabled/ntlm_auth is there a possibility of using
strictly wbinfo instead of ntlm_auth?

I am on  samba 4.8.3 and it is running on latest Centos 7.

Please advise.

Thank you.