infamous AD integration

Matthew Newton mcn4 at
Wed Jun 15 18:06:11 CEST 2016

On Wed, Jun 15, 2016 at 11:50:57AM -0400, Alan DeKok wrote:
> On Jun 15, 2016, at 11:42 AM, lejeczek via Freeradius-Users <freeradius-users at> wrote:
> >
>   I haven't seen that one.

That has stuff in it (at least Kerberos configuration and
nsswitch.conf) that you generally don't need to do. You just
set "realm" and "password server" in smb.conf.

>   Don't bother with any FreeRADIUS testing until the above
>   command works.  See the Samba documentation for debugging
>   winbind problems.

General order to get things working is

 - Configure Samba and join to the domain.
 - Make sure "net ads testjoin" returns "Join is OK"

 - Make sure winbind is running

 - Make sure ntlm_auth will successfully authenticate from the

 - Make sure permissions/group are right on the winbind privileged

 - Make sure ntlm_auth will successfully authenticate from the
   shell when running as the FreeRADIUS user/group

 - Configure and test FreeRADIUS.

If _any_ of the steps is not right then fix that before moving on
to the next, otherwise it just won't work. This will also give a
big hint as to where the problem lies.

The above is just as valid when using direct libwbclient
configuration rather than ntlm_auth.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list