search for: mchapv2

...Name}" winbind_domain = "*WINDOWSDOMAIN*" (not sure about external links in the mailing list, but here is the link to the freeradius doc explaining in detail: https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind What I can't test right now, if it will work with mchapv2 password change (if required), since freeradius relies directly on ntlm_auth there. My question on the other hand is this: - Why this "winbind" method works fine with "ntlm auth = mschpav2-and-ntlmv2-only" on the AD DC, but "ntlm_auth" doesn't? Winbind method sup...

...me further testing, and I have to correct myself. > > I was (kind of obviously as I think about it) wrong about samba on the > freeradius server requiring v. 4.7. What makes all the difference is the > method used by mschap. > What I can't test right now, if it will work with mchapv2 password change (if required), since freeradius relies directly on ntlm_auth there. > > > My question on the other hand is this: > - Why this "winbind" method works fine with "ntlm auth = mschpav2-and-ntlmv2-only" on the AD DC, but "ntlm_auth" doesn't...

Ok, I finally could try it out, and it seems to actually work, but You need samba 4.7 on all machines, not only AD, but also server with freeradius. I didn't get a chance to test it locally, that is samba AD + freeradius on the same server. Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work (got simple "nt_status_wrong_password") but: 4.7.6 AD and 4.7.1