Am 11.06.2017 um 11:41 schrieb Paweł Grzęda:
Hello,
[...]
Tutorial:
http://confluence.diamond.ac.uk/display/PAAUTH/Using+LDAP+as+authentication+...
I use start_tls to securely bind to LDAP (which is Samba4 AD DC) and the binding works, however I still can't get Access-Accept message. I think my problem is related to clear-text passwords (warning about no known good password), however I don't know how to fix it. Is it a way to configure this to be securely?
Assuming Samba 4 tries to work and behave like AD on Windows Server I imagine it does the same by default: "Active Directory does not allow FreeRADIUS to query the user's password via LDAP, or LDAPS." (Alan D. on a thread only a couple of days before) I haven't confirmed this since I did never use FR with a Samba 4 Domain, but only with Windows-based AD services. Though there seems to be a possibility to permit it by an ACL in smb.conf to allows this. By default I'd assume like with a Windows AD: Join the FR server to your Samba 4 AD domain and use NTLM authentication (like mentioned in your linked page). You'd have to select between the older method using ntlm_auth, oder directly via Winbind. (read the config file for the mschap module) Have a look on integrating with a Windows-based AD: * http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOW... * http://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind Good luck. -- Mathieu