EAP-PEAP + Windows 7 with SSO and Password change

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 13 00:00:46 CEST 2012


On 06/12/2012 06:47 PM, CD DD wrote:

> Exec-Program output: Must change password (0xc0000224)
> Exec-Program-Wait: plaintext: Must change password (0xc0000224)

Ok. ntlm_auth is returning something different to what I saw in testing. 
Have you set the "must change password at next login" bit, as opposed to 
"expired" bit?

Try this:

  1. Edit src/modules/rlm_mschap/rlm_mschap.c about line 1100, where it 
says:

   if (strstr(buffer, "Password expired")) {

...to read:

   if (strstr(buffer, "Password expired") ||
       strstr(buffer, "Must change password")) {

  2. Re-compile and re-install

  3. Test again

There's no great way to parse the output of ntlm_auth. I guess we could 
make the string a regexp comparison against the output, and at least 
make it an item in the config file (with a sensible default) so that if 
more such cases come up, or Samba change their output, it can be fixed 
without a recompile.


More information about the Freeradius-Users mailing list