AD authentication fails - plaintext auth succeeds but challenge/response fails

Johnny R vasiana09 at gmail.com
Fri Aug 16 06:48:55 CEST 2019


Hi,

I think it would better if you could post some logs (radiusd -XXX). Since
"wbinfo" is a samba related package, I think that you'd better direct your
investigation that way.
Are you able to list the users/groups from the AD wbinfo -u/g ?

Just my two cents :)


v4s[at]#unrelated | "sh3ll is just the beginning"




On Fri, Aug 16, 2019 at 4:20 AM Kev Xlr <kevxlre at gmail.com> wrote:

> I am configuring FreeRADIUS for MSCHAP authentication against our Active
> Directory domain, following the guides on
> http://deployingradius.com/documents/configuration/active_directory.html
> and
>
> https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
>
> When I get to the point to run wbinfo -a user%password as detailed in the
> wiki, wbinfo returns the response:
>
> plaintext password authentication succeeded
> challenge/response password authentication failed
> Could not authenticate user %user with challenge/response
>
> This is the opposite of the expected behaviour, as AD should fail plaintext
> password auth and ALLOW challenge/response password auth!
>
> Obviously FreeRADIUS PAP works but any MSCHAP tests fail because there is
> no challenge/response
>
> I checked all samba and winbind logs but I cannot find anywhere in the logs
> referring to such tests and failures
>
> Where should I direct my troubleshooting?
>
> Thanks
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list