AD authentication fails - plaintext auth succeeds but challenge/response fails

Kev Xlr kevxlre at
Fri Aug 16 03:18:47 CEST 2019

I am configuring FreeRADIUS for MSCHAP authentication against our Active
Directory domain, following the guides on

When I get to the point to run wbinfo -a user%password as detailed in the
wiki, wbinfo returns the response:

plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user %user with challenge/response

This is the opposite of the expected behaviour, as AD should fail plaintext
password auth and ALLOW challenge/response password auth!

Obviously FreeRADIUS PAP works but any MSCHAP tests fail because there is
no challenge/response

I checked all samba and winbind logs but I cannot find anywhere in the logs
referring to such tests and failures

Where should I direct my troubleshooting?


More information about the Freeradius-Users mailing list