Kerberos - Radius does not get password

Phil Mayers p.mayers at
Tue Jan 8 12:24:26 CET 2013

On 08/01/13 10:31, Khapare Joshi wrote:

> I am running on:
> samba-winbind-3.5.10-125.el6.x86_64
> samba-3.5.10-125.el6.x86_64
> samba-common-3.5.10-125.el6.x86_64

Ok. Unfortunately this isn't nearly enough data to speculate about what 
your problems might be. To be honest, I don't even know what data 
*would* tell us that - but it would certainly include your AD server OS 
version and domain functional level.

But this is really off-topic - if you have Samba problems, the Samba 
list is the place to discuss them.

> and DEFAULT AUTH-Type = kerberos in users file.

No, this is wrong. Don't do this. It may stop you doing mschap.

If you *must* set Auth-Type, you need to ensure it's done correctly - 
only set if unset, and if it's PAP - which can be done in unlang like so:

authorize {

   # if Auth-Type isn't set yet
   if (!control:Auth-Type) {
     # AND if it's a PAP request (contains User-Password)
     if (User-Password) {
       # use Kerberos
       update control {
         Auth-Type := kerberos

> To make this work, I still have to configure samba, join radius server
> to AD and so on for the AD authentication right ?


> but, kerberos only works with PAP, is there a security risk - what is
> your view on this?

View on what?

Vague questions like "is there a security risk" don't really mean anything.

Let me answer a different question:

In my opinion, given current state-of-the-art in cryptography, TTLS/PAP 
is not appreciably more or less secure than PEAP/MSCHAP. They both have 
very similar security properties, and are close to identical at the 
protocol level.

The use of TTLS/PAP provides more options in backend password storage / 
authentication server, but that's separate from the security of the 

More information about the Freeradius-Users mailing list