On 08/01/13 10:31, Khapare Joshi wrote:
I am running on: CENTOS6 samba-winbind-3.5.10-125.el6.x86_64 samba-3.5.10-125.el6.x86_64 samba-common-3.5.10-125.el6.x86_64
Ok. Unfortunately this isn't nearly enough data to speculate about what your problems might be. To be honest, I don't even know what data *would* tell us that - but it would certainly include your AD server OS version and domain functional level. But this is really off-topic - if you have Samba problems, the Samba list is the place to discuss them.
and DEFAULT AUTH-Type = kerberos in users file.
No, this is wrong. Don't do this. It may stop you doing mschap. If you *must* set Auth-Type, you need to ensure it's done correctly - only set if unset, and if it's PAP - which can be done in unlang like so: authorize { ... eap mschap # if Auth-Type isn't set yet if (!control:Auth-Type) { # AND if it's a PAP request (contains User-Password) if (User-Password) { # use Kerberos update control { Auth-Type := kerberos } } } ... }
To make this work, I still have to configure samba, join radius server to AD and so on for the AD authentication right ?
Yes.
but, kerberos only works with PAP, is there a security risk - what is your view on this?
View on what? Vague questions like "is there a security risk" don't really mean anything. Let me answer a different question: In my opinion, given current state-of-the-art in cryptography, TTLS/PAP is not appreciably more or less secure than PEAP/MSCHAP. They both have very similar security properties, and are close to identical at the protocol level. The use of TTLS/PAP provides more options in backend password storage / authentication server, but that's separate from the security of the protocol.