Validating plaintext passwords against Samba 4

Alan DeKok aland at
Thu Jan 5 18:30:14 CET 2017

On Jan 5, 2017, at 12:28 PM, Brian Candler <b.candler at> wrote:
> My question is, what's the preferred way to authenticate requests which contain plaintext passwords, i.e. PAP, against S4/AD? rlm_mschap has hooks to talk to ntlm_auth or winbind, but rlm_pap doesn't.
> It seems to me I could:
> * use rlm_ldap, and do a bind using the user supplied password
> * use rlm_krb5 (i.e. kerberos as a password oracle)

  Either way is fine.

> Is there another/better way?

 Personally, I'd probably use LDAP.

 Alan DeKok.

More information about the Freeradius-Users mailing list