Strange behaviour after AD password reset
Alan DeKok
aland at deployingradius.com
Fri Jun 14 08:41:24 CEST 2019
On Jun 13, 2019, at 7:47 AM, Richard Letuma <letumar at gmail.com> wrote:
> The problem is that after password reset OLD and NEW password works with
> radtest (also with eapol_test).
Unfortunately, that has nothing to do with FreeRADIUS. FreeRADIUS just asks Samba / AD to authenticate the user. It returns either yes / no.
> *Why is the old password works for approximately 5 minutes with radtest?
Ask AD. The old password will also work with other AD authentication tools.
> I
> have also checked with eapol_test and the old password still works for 5
> minutes before failing ( i.e Access-Reject ).*
Because you're still using FreeRADIUS, which still uses Samba, and then AD.
> *The command "wbinfo -a <DOMAN USER and password>" immediately reflects
> that the password was changed. With "wbinfo -a", I do not have a problem
> where an old password work for 5 minutes.*
Because you're likely checking AD, not Samba.
> In /etc/raddb/mods-enabled/ntlm_auth is there a possibility of using
> strictly wbinfo instead of ntlm_auth?
They both use the same thing: Samba.
If Samba is causing issues, fix Samba. No amount of poking FreeRADIUS will fix a Samba issue.
Alan DeKok.
More information about the Freeradius-Users
mailing list