Strange behaviour after AD password reset

Alan DeKok aland at
Fri Jun 14 08:41:24 CEST 2019

On Jun 13, 2019, at 7:47 AM, Richard Letuma <letumar at> wrote:
> The problem is that after password reset OLD and NEW password works with
> radtest (also with eapol_test).

  Unfortunately, that has nothing to do with FreeRADIUS.  FreeRADIUS just asks Samba / AD to authenticate the user.  It returns either yes / no.

> *Why is the old password works for approximately 5 minutes with radtest?

  Ask AD.  The old password will also work with other AD authentication tools.

> I
> have also checked with eapol_test and the old password still works for 5
> minutes before failing ( i.e Access-Reject ).*

  Because you're still using FreeRADIUS, which still uses Samba, and then AD.

> *The command "wbinfo -a <DOMAN USER and password>" immediately reflects
> that the password was changed. With "wbinfo -a", I do not have a problem
> where an old password work for 5 minutes.*

  Because you're likely checking AD, not Samba.

> In /etc/raddb/mods-enabled/ntlm_auth is there a possibility of using
> strictly wbinfo instead of ntlm_auth?

  They both use the same thing: Samba.

  If Samba is causing issues, fix Samba.  No amount of poking FreeRADIUS will fix a Samba issue.

  Alan DeKok.

More information about the Freeradius-Users mailing list