Error after successful bind using Samba4, it might be the userPassword attribute
I'm trying to set freeradius authentication against a *Samba Active Directory Domain Controller v4.3.0* (*sernet-samba-ad*) server. The parameters in my ldap module file look like this: server = "192.168.1.8" identity = "cn=root,cn=Users,dc=eleka,dc=co,dc=cu" password = password basedn = "dc=eleka,dc=co,dc=cu" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" When I run *radtest root password 127.0.0.1 0 testing123* in debug mode (freeradius -X) I get a successful bind (*[ldap] Bind was successful*) but after that, this error is shown: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? I found here http://lists.freeradius.org/pipermail/freeradius-users/2015-December/081338.... that it might be a problem related to Samba4 which looks like doesn't has a userPassword attribute and the freeradius LDAP module can map *userPassword* attribute defined in *ldap.attrmap* I also executed this query using ldapsearch (*without any issue* so identity works): ldapsearch -LLL -b "dc=eleka,dc=co,dc=cu" -h 192.168.206.8 -D "cn=root,cn=Users,dc=eleka,dc=co,dc=cu" -w password userPassword=* # refldap://eleka.co.cu/CN=Configuration,DC=eleka,DC=co,DC=cu # refldap://eleka.co.cu/DC=DomainDnsZones,DC=eleka,DC=co,DC=cu # refldap://eleka.co.cu/DC=ForestDnsZones,DC=eleka,DC=co,DC=cu
On Feb 13, 2018, at 10:10 AM, Ing. Pedro Pablo Delgado Martell <ppmartell@eleka.co.cu> wrote:
I'm trying to set freeradius authentication against a *Samba Active Directory Domain Controller v4.3.0* (*sernet-samba-ad*) server. The parameters in my ldap module file look like this:
server = "192.168.1.8" identity = "cn=root,cn=Users,dc=eleka,dc=co,dc=cu" password = password basedn = "dc=eleka,dc=co,dc=cu" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
When I run *radtest root password 127.0.0.1 0 testing123* in debug mode (freeradius -X) I get a successful bind (*[ldap] Bind was successful*) but after that, this error is shown:
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
Because Active Directory does not allow LDAP clients to query for the users's password. If you're running *only* Samba, and *not* Active Directory, it may be possible. But if you're running AD, it's impossible. No amount of poking FreeRADIUS will fix this. The problem is with AD, not with FreeRADIUS. Alan DeKok.
participants (2)
-
Alan DeKok -
Ing. Pedro Pablo Delgado Martell