[Samba] Samba 4 and freeradius

Kristofer kristofer at cybernetik.net
Tue Feb 26 21:25:15 MST 2013 

In my experience from setting it up, I was able to get it to run as the "radiusd" user (used yum repository on CentOS 6.3 to install freeradius) without any additional tweaking.

I would recommend running freeradius on a machine other than a Samba 4 domain controller (assuming you already did that).

I used the Samba 3 winbind that comes in the yum repository for CentOS, and joined the operating system to the domain and ensured that basic login authentication worked:

yum install samba-winbind-clients samba-winbind

authconfig --updateall --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=WORKGROUP --winbindjoin=Administrator --smbrealm=ad.domain.com --winbindtemplatehomedir=/home/%U --enablewinbindusedefaultdomain --enablewinbindoffline --enablemkhomedir --enablelocauthoriz

Then in /etc/raddb/modules/ntlm_auth, I set the following to ensure that the users belonged to the "VPN Users" group to authenticate.

exec ntlm_auth {
        wait = yes
        program = "/usr/bin/ntlm_auth --request-nt-key --domain=AD.DOMAIN.COM --username=%{mschap:User-Name} --password=%{User-Password} ----require-membership-of=VPN\ Users"
}


On Feb 26, 2013, at 10:17 PM, Kinglok, Fong wrote:

> In fact, I have tried using NTLM already.
> 
> I have successfully setup winbind bundled with Samba 4, including the steps to join Samba 4 as member server and start up winbindd as daemon.
> 
> However, I encounter two difficulties with using NTLM to authenticate freeradius to Samba 4.
> - I have to run freeradius as root in order to read output from winbindd.  Even I change the permission / ownership of /usr/local/samba/var/run/winbindd to freerad.  It still cannot work!
> - I wish to restrict a group of user to use freeradius to authenticate.  However, adding --require-membership-of to freeradius still cannot work.
> 
> Kinglok, Fong
> 
> 
> On 27 Feb, 2013, at 11:30 AM, Kristofer <kristofer at cybernetik.net> wrote:
> 
>> I had good luck using NTLM, rather than LDAP.  See: http://freeradius.1045715.n5.nabble.com/Freeradius-How-to-integrate-Active-Directory-AD-Integration-WindowsXP-NTLM-Tutorial-td2745621.html
>> 
>> 
>> 
>> From: "Fong Kinglok" <busywater at gmail.com>
>> To: samba at lists.samba.org
>> Sent: Friday, February 22, 2013 10:18:53 AM
>> Subject: [Samba] Samba 4 and freeradius
>> 
>> Hi,
>> 
>> My goal is to make use of samba 4 and freeradius to authenticate user to use wifi network (WPA2 enterprise).
>> 
>> The setup is to setup Samba 4.0.3 in machine A and setup freeradius in machine B.
>> 
>> By reading: 
>> Document A: http://wiki.samba.org/index.php/Samba4/beyond
>> Document B: https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network
>> Document C: http://www.linuxgfx.co.uk/karoshi/documentation/wiki/index.php?title=Samba4_Testing
>> 
>> The testing to bind the samba 4 server from machine B shows successfully:
>> ldapsearch -x -W -h file.sambadom.org -b "ou=accounting,dc=sambadom,dc=org" -D "cn=ldapuser,cn=users,dc=sambadom,dc=org" "(cn=peter)"
>> 
>> Also, ldap module of freeradius is configured as follows (ldap part in sites-enabled/default and inner-tunnel is configured also.)
>> 
>> /usr/local/freeradius/etc/raddb/modules/ldap 
>> =============================
>> ldap {
>>         server = "file.sambadom.org"
>>         password = "asecurepassword"
>>         identity = "cn=ldapuser,cn=users,dc=samba4,dc=yauoi,dc=org"
>>         basedn = "ou=accounting,dc=sambadom,dc=org"
>>         filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
>>         ldap_connections_number = 5
>>         max_uses = 0
>>         timeout = 4
>>         timelimit = 3
>>         net_timeout = 1
>>         tls {
>>                 start_tls = no
>>         }
>>         dictionary_mapping = ${confdir}/ldap.attrmap
>>         edir_account_policy_check = no
>>         keepalive {
>>                 idle = 60
>>                 probes = 3
>>                 interval = 3
>>         }
>> }
>> =============================
>> 
>> When I try authentication test in machine B,
>> eapol_test -c ./peap-mschapv2.conf -s testing123
>> 
>> peap-mschapv2.conf
>> ====================
>> network={
>>         ssid="amazonforest"
>>         scan_ssid=1
>>         key_mgmt=WPA-EAP
>>         eap=PEAP
>>         identity="peter"
>>         #anonymous_identity="anonymous"
>>         password="asecurepassword"
>>         phase2="autheap=MSCHAPV2"
>> 
>>         #
>>         #  Uncomment the following to perform server certificate validation.
>>         ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.der"
>> }
>> ====================
>> 
>> The result is failed.
>> 
>> 
>> Is there anything I did wrongly?
>> 
>> Kinglok, Fong
>> 
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>

More information about the samba mailing list