freely quoting from something I posted on #samba a couple of hours ago ########### it appears that challenge/response is actually broken in 4.5.5 Have upgraded 4 dc's and now winbind/freeradius does not work. focused on the radius box thinking that was the problem -- till I finally ran wbinfo -a user%password on all the dc's and they all behaved the same. -> plaintext succeeded challenge/response failed. Configured up yet another dc running 4.2 and on that one challenge/response works is there any way to temporarily force the freeradius unit to talk only to the 4.2 dc? -- It looks like you can force -S servername on net ads join. Will that stay, though? ########## I managed to get my freeradius up and running using net join -S. Now winbind sends its queries to the server based on the current debian 4.2 package. I'm on pins and needles though thinking that it might switch. (I also have "password server" set in smb.conf which I know I'm not supposed to do). So much is riding on that radius server being functional Issues. 1) I would have posted this on bugzilla, but it doesn't present me with an account creation form when I click on new account. but I'm ready to give results from any requested tests 2) It's entirely possible that I am framing this wrongly. that there is some other issue that is causing challenge/response to fail. I'm not seeing any reference to it in samba release change logs in the releases since. 3) It looks like someone else posted a similar problem about a 4.6.0 git compile in September but didn't answer when Roland asked for further info. I'll do my best to send as much info as necessary 4) I'm a little gun-shy now of the 'stable' designation on the samba wiki site. It's been a stressful couple of days. 5) There must be other functionality suffering from not being able to do challenge/response
configuration info
all of my domain controllers have been debian based samba tarball compiles. The
tarballs have, when I've had a space to upgrade them, been the latest stable
version. Only my temporary DC is a stock debian samba package.
On Saturday, 11 March 2017, 23:00, ray klassen <julius_ahenobarbus at
yahoo.co.uk> wrote:
freely quoting from something I posted on #samba a couple of hours ago
###########
it appears that challenge/response is actually broken in 4.5.5 Have upgraded 4
dc's and now winbind/freeradius does not work.
focused on the radius box thinking that was the problem -- till I finally ran
wbinfo -a user%password
on all the dc's and they all behaved the same. -> plaintext succeeded
challenge/response failed.
Configured up yet another dc running 4.2 and on that one challenge/response
works
is there any way to temporarily force the freeradius unit to talk only to the
4.2 dc? -- It looks like you can force -S servername on net ads join. Will
that stay, though?
##########
I managed to get my freeradius up and running using net join -S. Now winbind
sends its queries to the server based on the current debian 4.2 package. I'm
on pins and needles though thinking that it might switch. (I also have
"password server" set in smb.conf which I know I'm not supposed to
do). So much is riding on that radius server being functional
Issues.
1) I would have posted this on bugzilla, but it doesn't present me with an
account creation form when I click on new account. but I'm ready to give
results from any requested tests
2) It's entirely possible that I am framing this wrongly. that there is some
other issue that is causing challenge/response to fail. I'm not seeing any
reference to it in samba release change logs in the releases since.
3) It looks like someone else posted a similar problem about a 4.6.0 git compile
in September but didn't answer when Roland asked for further info. I'll
do my best to send as much info as necessary
4) I'm a little gun-shy now of the 'stable' designation on the samba
wiki site. It's been a stressful couple of days.
5) There must be other functionality suffering from not being able to do
challenge/response
On Sun, 2017-03-12 at 07:04 +0000, ray klassen via samba wrote:> is there any way to temporarily force the freeradius unit to talk > only to the 4.2 dc? -- It looks like you can force -S servername > on net ads join. Will that stay, though?If your issue is FreeRADIUS, then presumably you are using MSCHAPv2, and it is the first item in the WHATSNEW: https://www.samba.org/samba/history/samba-4.5.0.html Setting 'ntlm auth = yes' should help. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba