<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:508762798;
mso-list-type:hybrid;
mso-list-template-ids:896176414 269025295 269025305 269025307 269025295 269025305 269025307 269025295 269025305 269025307;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi there, <o:p></o:p></p>
<p class="MsoNormal">I had the issue when I tried to configure my freeradius server integrate windows 2008 R2 Active directory authentication. It worked before when it connected to a Windows AD 2003. However after I switched the AD server to a new AD server
which is in another Windows domain (windows 2008 R2) , it’s broken. Looks like the radius server doesn’t forward the request to the AD server even it has no Mysql database or local user database. The request was rejected then. All the AD integration configuration
files are in place and I don’t find any mistakes. The only change I made is upgrading the samba version from 2.x to 3.5.4 because the old version can’t build up pipe to windows 2008 R2 domain controller.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>The radius server has already joined the windows 2008 R2 domain. I can look up the AD information without problem.
<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Samba version:<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:72.0pt">[root@GTK_RADIUS /]#smbd -V<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:72.0pt">Version 3.5.4-0.83.el5<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>authenticate a user from the domain<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:72.0pt">[root@GTK_RADIUS /]#wbinfo -a exie%123456<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:72.0pt">plaintext password authentication failed<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:72.0pt">Could not authenticate user exie%123456 with plaintext password<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:72.0pt">challenge/response password authentication succeeded<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">c.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>authenticate with NTLM<o:p></o:p></p>
<p class="MsoNormal"> [root@GTK_RADIUS /]#ntlm_auth .-request-nt-key --domain=NE --username=exie<o:p></o:p></p>
<p class="MsoNormal"> password:<o:p></o:p></p>
<p class="MsoNormal"> NT_STATUS_OK: Success (0x0)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>The Log of Radius authentication is attached.<o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Could you kindly to help me figure out why the freeradius server can’t work with windows AD? Thanks so much in advance.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="line-height:115%"><span lang="DE" style="font-size:8.0pt;line-height:115%;font-family:"Helvetica","sans-serif";color:#262626">Edward Xie<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:115%"><span lang="DE" style="font-size:8.0pt;line-height:115%;font-family:"Helvetica","sans-serif";color:#262626"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:115%"><span lang="EN-US" style="font-size:8.0pt;line-height:115%;font-family:"Helvetica","sans-serif";color:#262626">The contents of this email are confidential and intended for the recipient only. If you have received
this email in error, please notify us, and destroy all copies.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>