[Samba] Samba 4 and freeradius

Kinglok, Fong busywater at gmail.com
Wed Feb 27 09:26:28 MST 2013

On 27 Feb 2013, at 2:26 PM, Andrew Bartlett wrote:

> On Wed, 2013-02-27 at 12:17 +0800, Kinglok, Fong wrote:
>> In fact, I have tried using NTLM already.
>> I have successfully setup winbind bundled with Samba 4, including the steps to join Samba 4 as member server and start up winbindd as daemon.
>> However, I encounter two difficulties with using NTLM to authenticate freeradius to Samba 4.
>> - I have to run freeradius as root in order to read output from winbindd.  Even I change the permission / ownership of /usr/local/samba/var/run/winbindd to freerad.  It still cannot work!
> You need to change the winbind_privileged directory, not the winbindd
> directory.  The group ownership of this directory should be a group that
> servers doing NTLM authentication (such as squid, apache, pptpd and
> freeradius) are in. 
> Andrew Bartlett
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org

Thank you all for giving me the hint!

I have solved the problem by making use of ntlm_auth and with group support by

1. change the permission of the winbindd folder
chgrp freerad /usr/local/samba/var/locks/winbindd_privileged
(freerad is the user to run freeradius)

2. edit the file /usr/local/freeradius/etc/raddb/modules/mschap
ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}   --require-membership-of=MYDOMAIN\\Certain_Group"
(Pay attention to the double back slashes and restart the freeradius)

However, I am still very eager to authenticate user with using ldap directly.  I cannot fix it as the freeradius log complain: (I have tried binding the samba ac with administrator)
2013-02-28 00:19:32.393910500 [ldap] performing user authorization for peter
2013-02-28 00:19:32.394014500 [ldap] 	expand: %{Stripped-User-Name} -> 
2013-02-28 00:19:32.394016500 [ldap] 	... expanding second conditional
2013-02-28 00:19:32.394018500 [ldap] 	expand: %{User-Name} -> peter
2013-02-28 00:19:32.394020500 [ldap] 	expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=peter)
2013-02-28 00:19:32.394022500 [ldap] 	expand: ou=Accounting,dc=samdom,dc=org -> ou=Accounting,dc=samdom,dc=org
2013-02-28 00:19:32.394123500   [ldap] ldap_get_conn: Checking Id: 0
2013-02-28 00:19:32.394125500   [ldap] ldap_get_conn: Got Id: 0
2013-02-28 00:19:32.394127500   [ldap] performing search in ou=Accounting,dc=samdom,dc=org, with filter (sAMAccountName=peter)
2013-02-28 00:19:32.395423500 [ldap] looking for check items in directory...
2013-02-28 00:19:32.395426500 [ldap] looking for reply items in directory...
2013-02-28 00:19:32.395427500 WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
2013-02-28 00:19:32.395430500 [ldap] user peter authorized to use remote access

Any hint?

Kinglok, Fong

More information about the samba mailing list