Validating plaintext passwords against Samba 4

Brian Candler b.candler at
Thu Jan 5 18:28:31 CET 2017


There are several documents about how to authenticate MSCHAP requests 
against Samba 4 / AD.

My question is, what's the preferred way to authenticate requests which 
contain plaintext passwords, i.e. PAP, against S4/AD? rlm_mschap has 
hooks to talk to ntlm_auth or winbind, but rlm_pap doesn't.

It seems to me I could:

* use rlm_ldap, and do a bind using the user supplied password

* use rlm_krb5 (i.e. kerberos as a password oracle)

Is there another/better way?



More information about the Freeradius-Users mailing list