AD authentication fails - plaintext auth succeeds but challenge/response fails

Johnny R vasiana09 at
Fri Aug 16 06:48:55 CEST 2019


I think it would better if you could post some logs (radiusd -XXX). Since
"wbinfo" is a samba related package, I think that you'd better direct your
investigation that way.
Are you able to list the users/groups from the AD wbinfo -u/g ?

Just my two cents :)

v4s[at]#unrelated | "sh3ll is just the beginning"

On Fri, Aug 16, 2019 at 4:20 AM Kev Xlr <kevxlre at> wrote:

> I am configuring FreeRADIUS for MSCHAP authentication against our Active
> Directory domain, following the guides on
> and
> When I get to the point to run wbinfo -a user%password as detailed in the
> wiki, wbinfo returns the response:
> plaintext password authentication succeeded
> challenge/response password authentication failed
> Could not authenticate user %user with challenge/response
> This is the opposite of the expected behaviour, as AD should fail plaintext
> password auth and ALLOW challenge/response password auth!
> Obviously FreeRADIUS PAP works but any MSCHAP tests fail because there is
> no challenge/response
> I checked all samba and winbind logs but I cannot find anywhere in the logs
> referring to such tests and failures
> Where should I direct my troubleshooting?
> Thanks
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list