[Samba] Fwd: ntlm_auth and freeradius

Alexander Harm || ApfelQ alexander.harm at apfelq.com
Wed Apr 12 11:20:36 UTC 2023


Hi Matthias,

we’re using Debian Bullseye with the backports repo. So version is a mixture of

- Samba version 4.17.3-Debian
- Samba version 4.17.7-Debian

We’ve installed it directly on the DC’s as well.

In my opinion using "ntlm auth = yes” should be fine.

Did you try using a simple RADIUS secret? In my experience long secrets or ones containing special characters don’t work very well. I would use alphanumerical only and no longer than 16 chars.

We successfully use it to authenticate UniFi clients and IKEv2 roadwarriors (using OPNsense).

I believe you set

lanman auth = yes

as well, right?

Does Samba give you anything in the logs? That way you might be able to narrow it down…

Alexander

> On Wednesday, Apr 12, 2023 at 12:21 PM, Matthias Kühne | Ellerhold Aktiengesellschaft via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote:
> Hello Alexander,
>
> thanks Alexander for these configuration snippets.
>
> Which version of Samba are you using? Is this on debian bullseye? Is the
> FreeRADIUS server installed on a DC or on a Domain Member? (I just
> tested the latter).
>
> is "ntlm auth = yes" OK for the DCs and the domain member or does it
> have to be "mschapv2-and-ntlmv2-only" for all servers (DCs + Member)? It
> looks like "yes" is broader and it should work? Sadly we need "yes" for
> other applications...
>
> Im sad to say that I cant get it to work. Neither "radtest" nor my
> Ubiquity APs...
>
> I always get
>
> (3) mschap: ERROR: When trying to update a password, this return status
> indicates that the value provided as the current password is not
> correct. [0xC000006A]
> (3) mschap: ERROR: MS-CHAP2-Response is incorrect
>
> Similar error while using "ntlm_auth" instead of the direct winbind
> connections.
>
> Using ntlm_auth with --username and --password works. Using ntlm_auth
> with --challenge results in the same error message above.
>
> Any help would be much appreciated, otherwise we're going to switch to
> SQL or file based auth (with cleartext password *shudder*).
>
> Thanks and have a nice day, Matthias.
>
> Am 06.04.23 um 09:56 schrieb Alexander Harm || ApfelQ via samba:
> > I can share my notes, we authenticate UniFi clients via Freeradius against Samba AD. We also check group membership which you might or might not need:
> >
> > ## 4 FreeRADIUS
> >
> > ### 4.1 Basics
> >
> > ```bash
> > apt install freeradius freeradius-ldap freeradius-utils
> >
> > # create new DH-params
> > openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048
> > ```
> >
> > ### 4.2 Configure Authentication
> >
> > - modify mschap to use winbind, uncomment the following lines
> >
> > ```
> > # /etc/freeradius/3.0/mods-available/mschap
> > require_encryption = yes
> > require_strong = yes
> > winbind_username = "%{mschap:User-Name}"
> > winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}"
> > winbind_retry_with_normalised_username = yes
> > ```
> >
> > - add to global section in samba conf
> >
> > ```
> > # /etc/samba/smb.conf
> > ntlm auth = mschapv2-and-ntlmv2-only
> > ```
> >
> > - fix perms and restart
> >
> > ```bash
> > usermod -a -G winbindd_priv freerad
> > service freeradius restart
> > service samba-ad-dc restart
> > ```
> >
> > ### 4.3 Configure LDAP (group information)
> >
> > - enable ldap
> >
> > ```bash
> > cd /etc/freeradius/3.0/mods-enabled
> > ln -s ../mods-available/ldap ldap
> > chown -h freerad:freerad ldap
> > ```
> >
> > - modify module ldap to retrieve group information
> >
> > ```
> > # /etc/freeradius/3.0/mods-available/ldap
> > server = '10.0.1.250'
> > server = '10.0.1.251'
> > identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com'
> > password = ***
> > base_dn = 'cn=users,dc=ds,dc=example,dc=com'
> > user: filter = "(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))"
> > group: filter = "(objectClasse=group)"
> > group: membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
> > start_tls = yes
> > ca_file = /etc/ssl/certs/ca-certificates.crt
> > ```
> >
> > ### 4.4 Configure EAP
> >
> > - add root.ca and services.ca to certificate store
> >
> > ```bash
> > cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/
> > cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/
> > update-ca-certificates
> > ```
> >
> > - add radius cert and key
> >
> > ```bash
> > cp /home/dcadmin/service.radius.key /etc/freeradius/3.0/certs/service.radius.key
> > cp /home/dcadmin/service.radius.crt /etc/freeradius/3.0/certs/service.radius.crt
> >
> > chmod 640 /etc/freeradius/3.0/certs/service.radius.*
> > chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.*
> > ```
> >
> > - configure eap module to use peap per default
> >
> > ```
> > # /etc/freeradius/3.0/mods-available/eap
> > default_eap_type = peap
> >
> > #private_key_password = whatever
> > private_key_file = ${certdir}/service.radius.key
> > certificate_file = ${certdir}/service.radius.crt
> >
> > tls_min_version = "1.2"
> >
> > cache: enable = yes
> > cache: name = “<somename>.radius"
> > cache: persist_dir = "${logdir}/tlscache"
> >
> > peap: copy_request_to_tunnel = yes
> > ```
> >
> > ### 4.5 Configure Clients
> >
> > - add client for UniFi
> >
> > ```
> > # /etc/freeradius/3.0/clients.conf
> > client unifi {
> > ipaddr = 10.0.1.0/24
> > secret = ***
> > }
> > ```
> >
> > ### 4.6 Configure Authorization
> >
> > - devices/user via EAP
> >
> > ```
> > # /etc/freeradius/3.0/sites-enabled/inner-tunnel
> > post-auth {
> > if (!(Ldap-Group == “SOMEGROUP")) {
> > reject
> > }
> > ```
> >
> > ### 4.7 Finish
> >
> > ```bash
> > service freeradius restart
> > ```
> >
> > > On Thursday, Apr 06, 2023 at 9:46 AM, Matthias Kühne | Ellerhold Aktiengesellschaft via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote:
> > > Hello Tim, Hello samba-people,
> > >
> > > is there an uptodate guide for authenticating via freeradius somewhere?
> > >
> > > I have some Ubiquiti APs plus a Cloud Key and I want to authenticate
> > > WLAN clients via WPA2-Enterprise instead of a (shared) PSK.
> > >
> > > It seems like
> > > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
> > > is missing some steps (basic setup of freeradius).
> > >
> > > Can you write up some of your findings please?
> > >
> > > Thanks and happy holidays,
> > > Matthias.
> > >
> > > Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba:
> > > > Dear All,
> > > >
> > > > Well, this is very embarrassing....
> > > >
> > > > It seems that running 'smbcontrol all reload-config' isn't sufficient for reloading the ntlm config parameters.
> > > >
> > > > I tried restarting the whole samba service on the DC my FR box was authenticating against (systemctl restart sernet-samba-ad) and my test laptop is now connected to the network on the correct VLAN.
> > > >
> > > > I apologise for wasting everyone's time - now I'll get back to cleaning up all the config files and making sure BYOD still works etc.
> > > >
> > > > Thank you,
> > > >
> > > > Tim
> > > --
> > > Senior Webentwickler
> > > Datenschutzbeauftragter
> > >
> > > Ellerhold Aktiengesellschaft
> > > Friedrich-List-Str. 4
> > > 01445 Radebeul
> > >
> > > Telefon: +49 (0) 351 83933-61
> > > Web: www.ellerhold.de
> > > Facebook: www.facebook.com/ellerhold.gruppe
> > > Instagram: www.instagram.com/ellerhold.gruppe
> > > Twitter: https://twitter.com/EllerholdGruppe
> > >
> > > Amtsgericht Dresden / HRB 23769
> > > Vorstand: Stephan Ellerhold, Maximilian Ellerhold
> > > Vorsitzender des Aufsichtsrates: Frank Ellerhold
> > >
> > >
> > >
> > > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.
> > >
> > > Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/
> > >
> > > This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.
> > >
> > > You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
>
> --
> Senior Webentwickler
> Datenschutzbeauftragter
>
> Ellerhold Aktiengesellschaft
> Friedrich-List-Str. 4
> 01445 Radebeul
>
> Telefon: +49 (0) 351 83933-61
> Web: www.ellerhold.de
> Facebook: www.facebook.com/ellerhold.gruppe
> Instagram: www.instagram.com/ellerhold.gruppe
> Twitter: https://twitter.com/EllerholdGruppe
>
> Amtsgericht Dresden / HRB 23769
> Vorstand: Stephan Ellerhold, Maximilian Ellerhold
> Vorsitzender des Aufsichtsrates: Frank Ellerhold
>
>
>
> ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.
>
> Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/
>
> This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.
>
> You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba


More information about the samba mailing list