Authenticating against Active Directory using winbind

Paolo Barbato paolo.barbato at igi.cnr.it
Tue Sep 11 16:22:08 CEST 2018


Curious to know why you aren't using samba coming with centos...anyway I've just installed for a new deployment a centos 7.5 + samba 4.7 + freeradius 3.0.13 + winbind against AD: it works !

The suggested command to set in the proper way the privileges of winbindd_privileged directory is setfacl

setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged


...radiusd need also x.

Regards,
Paolo.


> On 11 Sep 2018, at 15:54, Christoffer Jönsson <chrjsn at imap.cc> wrote:
> 
> So I created the radiusd user since there was none created on install and changed the disabled variables to "user = radius group = radius" in radiusd.conf.
> 
> If I did not run "chgrp radiusd /opt/samba4.2/var/locks/winbindd_privileged" freeradius could not connect to winbind.
> 
> But when I did chgrp, I still get the same error.  There was also no winbind group/user created by default and I don't know which config to set the group/user.
> 
> I am running CentOS 7.
> 
> Thanks!
> 
> 
>> hi,
>> 
>> check the permissions of the winbindd_privileged directory - might have
>> been changed when samba patched.  (ideally you add radiusd to the winbind
>> group)
>> 
>> alan
>> 
>> On Tue, 11 Sep 2018 at 12:42, Christoffer Jönsson <chrjsn at imap.cc> wrote:
>> 
>>> Hello! I used this guide a year ago to enable 802.1x on my switches and
>>> APs and it worked without any problems to authenticate to my Samba4 AD/DC:
>>> 
>>> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind.
>>> 
>>> Today I am having trouble getting it to work because it wont accept the
>>> password when running this command or connecting from switches:
>>> 
>>> "radtest -t mschap adtest Password1 127.0.0.1 0 testing123". And winbind
>>> returns this result:
>>> 
>>> "NTLM CRAP authentication for user [auth.chrjsn.se]\[adtest] returned
>>> NT_STATUS_WRONG_PASSWORD".
>>> 
>>> But running this command, it authenticates with this result:
>>> 
>>> ntlm_auth --username=adtest --domain=auth.chrjsn.se
>>> Password:
>>> NT_STATUS_OK: Success (0x0):
>>> 
>>> "Plain-text authentication for user AUTH.CHRJSN.SE\adtest returned
>>> NT_STATUS_OK (PAM: 0)"
>>> 
>>> Radiusd reports that password has expired, when it has not. I have reset
>>> the password for adtest and administrator with same results.
>>> 
>>> I don't know if there's any new settings or something and I'm really
>>> stuck here.
>>> 
>>> It also doesn't matter which version of samba/freeradius I'm using.
>>> 
>>> Thanks!
>>> 
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

------------------------------------------------------------------------------------------------
Paolo Barbato

Consorzio RFX
corso Stati Uniti,4                                  
35127 Padova - Italy                     	                 
Network Administrator 
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------




More information about the Freeradius-Users mailing list