Hi, Could you please advise me what could be the issue here. These are the steps that I followed: 1) I have set "winbind offline logon = no" in /etc/samba/smb.conf under global 2) I have set /etc/raddb/mods-enabled/eap to "enable = no" in cache section. It is default behaviour. I just set it to be 100% sure that it is set. 3) Then I restarted smb and nmb with systemctl status smb nmb 4) Also I have restarted the radiusd 5) I then reset a password from AD and use radtest and wbinfo to test The problem is that after password reset OLD and NEW password works with radtest (also with eapol_test). After AD password reset if I type "radtest -t mschap myuserid PasswordOLD <IP Address> 0 testing123" and I type "radtest radtest -t mschap myuserid PasswordNEW <IP Address> 0 testing123" they both work. After approximately 5 minutes, the "radtest -t mschap myuserid PasswordOLD <IP Address> 0 testing123" will stop working and authentication fail. This is what I expect. The new password will remain working even. *Why is the old password works for approximately 5 minutes with radtest? I have also checked with eapol_test and the old password still works for 5 minutes before failing ( i.e Access-Reject ).* *The command "wbinfo -a <DOMAN USER and password>" immediately reflects that the password was changed. With "wbinfo -a", I do not have a problem where an old password work for 5 minutes.* In /etc/raddb/mods-enabled/ntlm_auth is there a possibility of using strictly wbinfo instead of ntlm_auth? I am on samba 4.8.3 and it is running on latest Centos 7. Please advise. Thank you.
On Jun 13, 2019, at 7:47 AM, Richard Letuma <letumar@gmail.com> wrote:
The problem is that after password reset OLD and NEW password works with radtest (also with eapol_test).
Unfortunately, that has nothing to do with FreeRADIUS. FreeRADIUS just asks Samba / AD to authenticate the user. It returns either yes / no.
*Why is the old password works for approximately 5 minutes with radtest?
Ask AD. The old password will also work with other AD authentication tools.
I have also checked with eapol_test and the old password still works for 5 minutes before failing ( i.e Access-Reject ).*
Because you're still using FreeRADIUS, which still uses Samba, and then AD.
*The command "wbinfo -a <DOMAN USER and password>" immediately reflects that the password was changed. With "wbinfo -a", I do not have a problem where an old password work for 5 minutes.*
Because you're likely checking AD, not Samba.
In /etc/raddb/mods-enabled/ntlm_auth is there a possibility of using strictly wbinfo instead of ntlm_auth?
They both use the same thing: Samba. If Samba is causing issues, fix Samba. No amount of poking FreeRADIUS will fix a Samba issue. Alan DeKok.
participants (2)
-
Alan DeKok -
Richard Letuma