Error after successful bind using Samba4, it might be the userPassword attribute
Alan DeKok
aland at deployingradius.com
Tue Feb 13 16:49:50 CET 2018
On Feb 13, 2018, at 10:10 AM, Ing. Pedro Pablo Delgado Martell <ppmartell at eleka.co.cu> wrote:
>
> I'm trying to set freeradius authentication against a *Samba Active Directory Domain Controller v4.3.0* (*sernet-samba-ad*) server. The parameters in my ldap module file look like this:
>
> server = "192.168.1.8"
> identity = "cn=root,cn=Users,dc=eleka,dc=co,dc=cu"
> password = password
> basedn = "dc=eleka,dc=co,dc=cu"
> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
>
> When I run *radtest root password 127.0.0.1 0 testing123* in debug mode (freeradius -X) I get a successful bind (*[ldap] Bind was successful*) but after that, this error is shown:
>
> WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
Because Active Directory does not allow LDAP clients to query for the users's password.
If you're running *only* Samba, and *not* Active Directory, it may be possible.
But if you're running AD, it's impossible. No amount of poking FreeRADIUS will fix this. The problem is with AD, not with FreeRADIUS.
Alan DeKok.
More information about the Freeradius-Users
mailing list