On Tue, Dec 30, 2014 at 5:44 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 30, 2014, at 10:28 AM, sb <superabx@gmail.com> wrote:
> Yes, but how to prevent it? I have nothing about User-Password in freeradius configs:

  Try version 2.2.6.  The PAP module has been updated to do a better job of discovering which password is where.


Thank you, Alan! I will try to upgrade to 2.2.6.
 

  And you probably want to double-check the *format* of the passwords.  You seem to have put the hashed version of the password into the userPassword field.  Then, taken that, turned it into hex, and put that into the ntPassword field in LDAP.  That’s wrong.

Actually we have no userPassword field in LDAP, the string

checkitem    Password-With-Header        userPassword

should be there from default config. I've commented it out, but got the same.
All that we have in LDAP:

sambaLMPassword: B4****************************************C6
sambaNTPassword: 1D****************************************9B

mapped to:

checkItem    LM-Password            sambaLmPassword
checkItem    NT-Password            sambaNtPassword

 

  The userPassword field in LDAP should contain the clear-text password.  e.g. “hello”, or “password”.  The ntPassword field in LDAP should contain the hex version of NT hashed password.  e.g. 01abcdef…  OR, the userPassword field in LDAP should contain "{nt}01abcdef…”  The {nt} prefix says that the rest of the password is the NT hash.

Possible I have to add {nt} prefix before the password?

"checkItem    User-Password            {nt}sambaNtPassword" - that won't work?