[Samba] Samba 4 and freeradius
Kinglok, Fong
busywater at gmail.com
Wed Feb 27 09:26:28 MST 2013
On 27 Feb 2013, at 2:26 PM, Andrew Bartlett wrote:
> On Wed, 2013-02-27 at 12:17 +0800, Kinglok, Fong wrote:
>> In fact, I have tried using NTLM already.
>>
>> I have successfully setup winbind bundled with Samba 4, including the steps to join Samba 4 as member server and start up winbindd as daemon.
>>
>> However, I encounter two difficulties with using NTLM to authenticate freeradius to Samba 4.
>> - I have to run freeradius as root in order to read output from winbindd. Even I change the permission / ownership of /usr/local/samba/var/run/winbindd to freerad. It still cannot work!
>
> You need to change the winbind_privileged directory, not the winbindd
> directory. The group ownership of this directory should be a group that
> servers doing NTLM authentication (such as squid, apache, pptpd and
> freeradius) are in.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
Thank you all for giving me the hint!
I have solved the problem by making use of ntlm_auth and with group support by
1. change the permission of the winbindd folder
chgrp freerad /usr/local/samba/var/locks/winbindd_privileged
(freerad is the user to run freeradius)
2. edit the file /usr/local/freeradius/etc/raddb/modules/mschap
ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=MYDOMAIN\\Certain_Group"
(Pay attention to the double back slashes and restart the freeradius)
However, I am still very eager to authenticate user with using ldap directly. I cannot fix it as the freeradius log complain: (I have tried binding the samba ac with administrator)
2013-02-28 00:19:32.393910500 [ldap] performing user authorization for peter
2013-02-28 00:19:32.394014500 [ldap] expand: %{Stripped-User-Name} ->
2013-02-28 00:19:32.394016500 [ldap] ... expanding second conditional
2013-02-28 00:19:32.394018500 [ldap] expand: %{User-Name} -> peter
2013-02-28 00:19:32.394020500 [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=peter)
2013-02-28 00:19:32.394022500 [ldap] expand: ou=Accounting,dc=samdom,dc=org -> ou=Accounting,dc=samdom,dc=org
2013-02-28 00:19:32.394123500 [ldap] ldap_get_conn: Checking Id: 0
2013-02-28 00:19:32.394125500 [ldap] ldap_get_conn: Got Id: 0
2013-02-28 00:19:32.394127500 [ldap] performing search in ou=Accounting,dc=samdom,dc=org, with filter (sAMAccountName=peter)
2013-02-28 00:19:32.395423500 [ldap] looking for check items in directory...
2013-02-28 00:19:32.395426500 [ldap] looking for reply items in directory...
2013-02-28 00:19:32.395427500 WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
2013-02-28 00:19:32.395430500 [ldap] user peter authorized to use remote access
Any hint?
Kinglok, Fong
More information about the samba
mailing list