[Samba] Samba 4 and freeradius

Kinglok, Fong busywater at gmail.com
Tue Feb 26 21:17:01 MST 2013 

In fact, I have tried using NTLM already.

I have successfully setup winbind bundled with Samba 4, including the steps to join Samba 4 as member server and start up winbindd as daemon.

However, I encounter two difficulties with using NTLM to authenticate freeradius to Samba 4.
- I have to run freeradius as root in order to read output from winbindd.  Even I change the permission / ownership of /usr/local/samba/var/run/winbindd to freerad.  It still cannot work!
- I wish to restrict a group of user to use freeradius to authenticate.  However, adding --require-membership-of to freeradius still cannot work.

Kinglok, Fong


On 27 Feb, 2013, at 11:30 AM, Kristofer <kristofer at cybernetik.net> wrote:

> I had good luck using NTLM, rather than LDAP.  See: http://freeradius.1045715.n5.nabble.com/Freeradius-How-to-integrate-Active-Directory-AD-Integration-WindowsXP-NTLM-Tutorial-td2745621.html
> 
> 
> 
> From: "Fong Kinglok" <busywater at gmail.com>
> To: samba at lists.samba.org
> Sent: Friday, February 22, 2013 10:18:53 AM
> Subject: [Samba] Samba 4 and freeradius
> 
> Hi,
> 
> My goal is to make use of samba 4 and freeradius to authenticate user to use wifi network (WPA2 enterprise).
> 
> The setup is to setup Samba 4.0.3 in machine A and setup freeradius in machine B.
> 
> By reading: 
> Document A: http://wiki.samba.org/index.php/Samba4/beyond
> Document B: https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network
> Document C: http://www.linuxgfx.co.uk/karoshi/documentation/wiki/index.php?title=Samba4_Testing
> 
> The testing to bind the samba 4 server from machine B shows successfully:
> ldapsearch -x -W -h file.sambadom.org -b "ou=accounting,dc=sambadom,dc=org" -D "cn=ldapuser,cn=users,dc=sambadom,dc=org" "(cn=peter)"
> 
> Also, ldap module of freeradius is configured as follows (ldap part in sites-enabled/default and inner-tunnel is configured also.)
> 
> /usr/local/freeradius/etc/raddb/modules/ldap 
> =============================
> ldap {
>         server = "file.sambadom.org"
>         password = "asecurepassword"
>         identity = "cn=ldapuser,cn=users,dc=samba4,dc=yauoi,dc=org"
>         basedn = "ou=accounting,dc=sambadom,dc=org"
>         filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
>         ldap_connections_number = 5
>         max_uses = 0
>         timeout = 4
>         timelimit = 3
>         net_timeout = 1
>         tls {
>                 start_tls = no
>         }
>         dictionary_mapping = ${confdir}/ldap.attrmap
>         edir_account_policy_check = no
>         keepalive {
>                 idle = 60
>                 probes = 3
>                 interval = 3
>         }
> }
> =============================
> 
> When I try authentication test in machine B,
> eapol_test -c ./peap-mschapv2.conf -s testing123
> 
> peap-mschapv2.conf
> ====================
> network={
>         ssid="amazonforest"
>         scan_ssid=1
>         key_mgmt=WPA-EAP
>         eap=PEAP
>         identity="peter"
>         #anonymous_identity="anonymous"
>         password="asecurepassword"
>         phase2="autheap=MSCHAPV2"
> 
>         #
>         #  Uncomment the following to perform server certificate validation.
>         ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.der"
> }
> ====================
> 
> The result is failed.
> 
> 
> Is there anything I did wrongly?
> 
> Kinglok, Fong
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list