[Samba] Samba + FreeRadius + Ubiquiti

Johannes Engel jcnengel at gmail.com
Fri Feb 26 16:50:33 UTC 2021 

Hi Tyler,

I am running a similar scenario with the following ntlm_auth line in
/etc/raddb/mods-enabled/mschap:
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
--username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}

However, I have recently moved to the direct usage of Winbind instead of
going via ntlm_auth which is much faster.

Best regards
Johannes

Am Di., 23. Feb. 2021 um 21:35 Uhr schrieb Tyler Montney via samba <
samba at lists.samba.org>:

> Someone from FreeRadius suggested I post over here, that Louis recently
> went down a similar path and might be able to help.
>
> I have a Unifi wireless controller that I want to offer RADIUS
> authentication. The controller points to the latest version of FreeRadius.
> Finally, this uses a Samba 4 instance, with integrated LDAP as my PDC. All
> are running Ubuntu 18.04.
>
> I started from scratch and followed this:
>
> https://blog.stevedong.com/post/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10/
> .
> The following pass:
>
>    - wbinfo -a <user>%<password>
>    - ntlm_auth --request-nt-key --domain=TESTING --username=<user>
>    --password=<password>"
>    - radtest <domain_accout> <password> localhost 0 testing123
>
> The following fail:
>
>    -   radtest -t mschap <user> <password> localhost 0 testing123
>
> Running this gives me "bad username/password" on freeradius. I can see
> something similar in the samba logs. My assumption is there's something up
> with this line: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=TESTING --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}".
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list