Authenticating against Active Directory using winbind

Christoffer Jönsson chrjsn at imap.cc
Tue Sep 11 15:54:53 CEST 2018


So I created the radiusd user since there was none created on install 
and changed the disabled variables to "user = radius group = radius" in 
radiusd.conf.

If I did not run "chgrp radiusd 
/opt/samba4.2/var/locks/winbindd_privileged" freeradius could not 
connect to winbind.

But when I did chgrp, I still get the same error.  There was also no 
winbind group/user created by default and I don't know which config to 
set the group/user.

I am running CentOS 7.

Thanks!


> hi,
>
> check the permissions of the winbindd_privileged directory - might have
> been changed when samba patched.  (ideally you add radiusd to the winbind
> group)
>
> alan
>
> On Tue, 11 Sep 2018 at 12:42, Christoffer Jönsson <chrjsn at imap.cc> wrote:
>
>> Hello! I used this guide a year ago to enable 802.1x on my switches and
>> APs and it worked without any problems to authenticate to my Samba4 AD/DC:
>>
>> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind.
>>
>> Today I am having trouble getting it to work because it wont accept the
>> password when running this command or connecting from switches:
>>
>> "radtest -t mschap adtest Password1 127.0.0.1 0 testing123". And winbind
>> returns this result:
>>
>> "NTLM CRAP authentication for user [auth.chrjsn.se]\[adtest] returned
>> NT_STATUS_WRONG_PASSWORD".
>>
>> But running this command, it authenticates with this result:
>>
>> ntlm_auth --username=adtest --domain=auth.chrjsn.se
>> Password:
>> NT_STATUS_OK: Success (0x0):
>>
>> "Plain-text authentication for user AUTH.CHRJSN.SE\adtest returned
>> NT_STATUS_OK (PAM: 0)"
>>
>> Radiusd reports that password has expired, when it has not. I have reset
>> the password for adtest and administrator with same results.
>>
>> I don't know if there's any new settings or something and I'm really
>> stuck here.
>>
>> It also doesn't matter which version of samba/freeradius I'm using.
>>
>> Thanks!
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list