[Samba] Fwd: ntlm_auth and freeradius
Matthias Kühne | Ellerhold Aktiengesellschaft
matthias.kuehne at ellerhold.de
Wed Apr 12 10:20:33 UTC 2023
Hello Alexander,
thanks Alexander for these configuration snippets.
Which version of Samba are you using? Is this on debian bullseye? Is the
FreeRADIUS server installed on a DC or on a Domain Member? (I just
tested the latter).
is "ntlm auth = yes" OK for the DCs and the domain member or does it
have to be "mschapv2-and-ntlmv2-only" for all servers (DCs + Member)? It
looks like "yes" is broader and it should work? Sadly we need "yes" for
other applications...
Im sad to say that I cant get it to work. Neither "radtest" nor my
Ubiquity APs...
I always get
(3) mschap: ERROR: When trying to update a password, this return status
indicates that the value provided as the current password is not
correct. [0xC000006A]
(3) mschap: ERROR: MS-CHAP2-Response is incorrect
Similar error while using "ntlm_auth" instead of the direct winbind
connections.
Using ntlm_auth with --username and --password works. Using ntlm_auth
with --challenge results in the same error message above.
Any help would be much appreciated, otherwise we're going to switch to
SQL or file based auth (with cleartext password *shudder*).
Thanks and have a nice day, Matthias.
Am 06.04.23 um 09:56 schrieb Alexander Harm || ApfelQ via samba:
> I can share my notes, we authenticate UniFi clients via Freeradius against Samba AD. We also check group membership which you might or might not need:
>
> ## 4 FreeRADIUS
>
> ### 4.1 Basics
>
> ```bash
> apt install freeradius freeradius-ldap freeradius-utils
>
> # create new DH-params
> openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048
> ```
>
> ### 4.2 Configure Authentication
>
> - modify mschap to use winbind, uncomment the following lines
>
> ```
> # /etc/freeradius/3.0/mods-available/mschap
> require_encryption = yes
> require_strong = yes
> winbind_username = "%{mschap:User-Name}"
> winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}"
> winbind_retry_with_normalised_username = yes
> ```
>
> - add to global section in samba conf
>
> ```
> # /etc/samba/smb.conf
> ntlm auth = mschapv2-and-ntlmv2-only
> ```
>
> - fix perms and restart
>
> ```bash
> usermod -a -G winbindd_priv freerad
> service freeradius restart
> service samba-ad-dc restart
> ```
>
> ### 4.3 Configure LDAP (group information)
>
> - enable ldap
>
> ```bash
> cd /etc/freeradius/3.0/mods-enabled
> ln -s ../mods-available/ldap ldap
> chown -h freerad:freerad ldap
> ```
>
> - modify module ldap to retrieve group information
>
> ```
> # /etc/freeradius/3.0/mods-available/ldap
> server = '10.0.1.250'
> server = '10.0.1.251'
> identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com'
> password = ***
> base_dn = 'cn=users,dc=ds,dc=example,dc=com'
> user: filter = "(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))"
> group: filter = "(objectClasse=group)"
> group: membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
> start_tls = yes
> ca_file = /etc/ssl/certs/ca-certificates.crt
> ```
>
> ### 4.4 Configure EAP
>
> - add root.ca and services.ca to certificate store
>
> ```bash
> cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/
> cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/
> update-ca-certificates
> ```
>
> - add radius cert and key
>
> ```bash
> cp /home/dcadmin/service.radius.key /etc/freeradius/3.0/certs/service.radius.key
> cp /home/dcadmin/service.radius.crt /etc/freeradius/3.0/certs/service.radius.crt
>
> chmod 640 /etc/freeradius/3.0/certs/service.radius.*
> chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.*
> ```
>
> - configure eap module to use peap per default
>
> ```
> # /etc/freeradius/3.0/mods-available/eap
> default_eap_type = peap
>
> #private_key_password = whatever
> private_key_file = ${certdir}/service.radius.key
> certificate_file = ${certdir}/service.radius.crt
>
> tls_min_version = "1.2"
>
> cache: enable = yes
> cache: name = “<somename>.radius"
> cache: persist_dir = "${logdir}/tlscache"
>
> peap: copy_request_to_tunnel = yes
> ```
>
> ### 4.5 Configure Clients
>
> - add client for UniFi
>
> ```
> # /etc/freeradius/3.0/clients.conf
> client unifi {
> ipaddr = 10.0.1.0/24
> secret = ***
> }
> ```
>
> ### 4.6 Configure Authorization
>
> - devices/user via EAP
>
> ```
> # /etc/freeradius/3.0/sites-enabled/inner-tunnel
> post-auth {
> if (!(Ldap-Group == “SOMEGROUP")) {
> reject
> }
> ```
>
> ### 4.7 Finish
>
> ```bash
> service freeradius restart
> ```
>
>> On Thursday, Apr 06, 2023 at 9:46 AM, Matthias Kühne | Ellerhold Aktiengesellschaft via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote:
>> Hello Tim, Hello samba-people,
>>
>> is there an uptodate guide for authenticating via freeradius somewhere?
>>
>> I have some Ubiquiti APs plus a Cloud Key and I want to authenticate
>> WLAN clients via WPA2-Enterprise instead of a (shared) PSK.
>>
>> It seems like
>> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>> is missing some steps (basic setup of freeradius).
>>
>> Can you write up some of your findings please?
>>
>> Thanks and happy holidays,
>> Matthias.
>>
>> Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba:
>>> Dear All,
>>>
>>> Well, this is very embarrassing....
>>>
>>> It seems that running 'smbcontrol all reload-config' isn't sufficient for reloading the ntlm config parameters.
>>>
>>> I tried restarting the whole samba service on the DC my FR box was authenticating against (systemctl restart sernet-samba-ad) and my test laptop is now connected to the network on the correct VLAN.
>>>
>>> I apologise for wasting everyone's time - now I'll get back to cleaning up all the config files and making sure BYOD still works etc.
>>>
>>> Thank you,
>>>
>>> Tim
>> --
>> Senior Webentwickler
>> Datenschutzbeauftragter
>>
>> Ellerhold Aktiengesellschaft
>> Friedrich-List-Str. 4
>> 01445 Radebeul
>>
>> Telefon: +49 (0) 351 83933-61
>> Web: www.ellerhold.de
>> Facebook: www.facebook.com/ellerhold.gruppe
>> Instagram: www.instagram.com/ellerhold.gruppe
>> Twitter: https://twitter.com/EllerholdGruppe
>>
>> Amtsgericht Dresden / HRB 23769
>> Vorstand: Stephan Ellerhold, Maximilian Ellerhold
>> Vorsitzender des Aufsichtsrates: Frank Ellerhold
>>
>>
>>
>> ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.
>>
>> Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/
>>
>> This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.
>>
>> You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
--
Senior Webentwickler
Datenschutzbeauftragter
Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul
Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
Twitter: https://twitter.com/EllerholdGruppe
Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold
---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.
Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/
This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.
You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
More information about the samba
mailing list