On Jun 13, 2019, at 7:47 AM, Richard Letuma <letumar@gmail.com> wrote:
The problem is that after password reset OLD and NEW password works with radtest (also with eapol_test).
Unfortunately, that has nothing to do with FreeRADIUS. FreeRADIUS just asks Samba / AD to authenticate the user. It returns either yes / no.
*Why is the old password works for approximately 5 minutes with radtest?
Ask AD. The old password will also work with other AD authentication tools.
I have also checked with eapol_test and the old password still works for 5 minutes before failing ( i.e Access-Reject ).*
Because you're still using FreeRADIUS, which still uses Samba, and then AD.
*The command "wbinfo -a <DOMAN USER and password>" immediately reflects that the password was changed. With "wbinfo -a", I do not have a problem where an old password work for 5 minutes.*
Because you're likely checking AD, not Samba.
In /etc/raddb/mods-enabled/ntlm_auth is there a possibility of using strictly wbinfo instead of ntlm_auth?
They both use the same thing: Samba. If Samba is causing issues, fix Samba. No amount of poking FreeRADIUS will fix a Samba issue. Alan DeKok.