[Samba] Fwd: ntlm_auth and freeradius

Wed Apr 12 11:27:01 UTC 2023

Hi Alexander,

I'm terribly sorry. We didnt have the "ntlm auth" parameter configured 
on the DCs at all. I added it and it just works.

Thanks for your help.

Now I just need to figure out how I can make WLAN-specific LDAP-Group 
authentication.

e. g. production WLAN needs LDAP group "wlan_production" and management 
WLAN needs the "wlan_management" group.

I guess post_auth may be the correct place for that.

You've helped tremendously, thanks again!

Am 12.04.23 um 13:20 schrieb Alexander Harm || ApfelQ:
> Hi Matthias,
>
> we’re using Debian Bullseye with the backports repo. So version is a 
> mixture of
>
> - Samba version 4.17.3-Debian
> - Samba version 4.17.7-Debian
>
> We’ve installed it directly on the DC’s as well.
>
> In my opinion using  "ntlm auth = yes” should be fine.
>
> Did you try using a simple RADIUS secret? In my experience long 
> secrets or ones containing special characters  don’t work very well. I 
> would use alphanumerical only and no longer than 16 chars.
>
> We successfully use it to authenticate UniFi clients and IKEv2 
> roadwarriors (using OPNsense).
>
> I believe you set
>
> lanman auth = yes
>
> as well, right?
>
> Does Samba give you anything in the logs? That way you might be able 
> to narrow it down…
>
> Alexander
>
>     On Wednesday, Apr 12, 2023 at 12:21 PM, Matthias Kühne | Ellerhold
>     Aktiengesellschaft via samba <samba at lists.samba.org> wrote:
>     Hello Alexander,
>
>     thanks Alexander for these configuration snippets.
>
>     Which version of Samba are you using? Is this on debian bullseye?
>     Is the
>     FreeRADIUS server installed on a DC or on a Domain Member? (I just
>     tested the latter).
>
>     is "ntlm auth = yes" OK for the DCs and the domain member or does it
>     have to be "mschapv2-and-ntlmv2-only" for all servers (DCs +
>     Member)? It
>     looks like "yes" is broader and it should work? Sadly we need
>     "yes" for
>     other applications...
>
>     Im sad to say that I cant get it to work. Neither "radtest" nor my
>     Ubiquity APs...
>
>     I always get
>
>     (3) mschap: ERROR: When trying to update a password, this return
>     status
>     indicates that the value provided as the current password is not
>     correct. [0xC000006A]
>     (3) mschap: ERROR: MS-CHAP2-Response is incorrect
>
>     Similar error while using "ntlm_auth" instead of the direct winbind
>     connections.
>
>     Using ntlm_auth with --username and --password works. Using ntlm_auth
>     with --challenge results in the same error message above.
>
>     Any help would be much appreciated, otherwise we're going to
>     switch to
>     SQL or file based auth (with cleartext password *shudder*).
>
>     Thanks and have a nice day, Matthias.
>
>     Am 06.04.23 um 09:56 schrieb Alexander Harm || ApfelQ via samba:
>>     I can share my notes, we authenticate UniFi clients via
>>     Freeradius against Samba AD. We also check group membership which
>>     you might or might not need:
>>
>>     ## 4 FreeRADIUS
>>
>>     ### 4.1 Basics
>>
>>     ```bash
>>     apt install freeradius freeradius-ldap freeradius-utils
>>
>>     # create new DH-params
>>     openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048
>>     ```
>>
>>     ### 4.2 Configure Authentication
>>
>>     - modify mschap to use winbind, uncomment the following lines
>>
>>     ```
>>     # /etc/freeradius/3.0/mods-available/mschap
>>     require_encryption = yes
>>     require_strong = yes
>>     winbind_username = "%{mschap:User-Name}"
>>     winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}"
>>     winbind_retry_with_normalised_username = yes
>>     ```
>>
>>     - add to global section in samba conf
>>
>>     ```
>>     # /etc/samba/smb.conf
>>     ntlm auth = mschapv2-and-ntlmv2-only
>>     ```
>>
>>     - fix perms and restart
>>
>>     ```bash
>>     usermod -a -G winbindd_priv freerad
>>     service freeradius restart
>>     service samba-ad-dc restart
>>     ```
>>
>>     ### 4.3 Configure LDAP (group information)
>>
>>     - enable ldap
>>
>>     ```bash
>>     cd /etc/freeradius/3.0/mods-enabled
>>     ln -s ../mods-available/ldap ldap
>>     chown -h freerad:freerad ldap
>>     ```
>>
>>     - modify module ldap to retrieve group information
>>
>>     ```
>>     # /etc/freeradius/3.0/mods-available/ldap
>>     server = '10.0.1.250'
>>     server = '10.0.1.251'
>>     identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com'
>>     password = ***
>>     base_dn = 'cn=users,dc=ds,dc=example,dc=com'
>>     user: filter =
>>     "(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))"
>>     group: filter = "(objectClasse=group)"
>>     group: membership_filter =
>>     "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
>>     start_tls = yes
>>     ca_file = /etc/ssl/certs/ca-certificates.crt
>>     ```
>>
>>     ### 4.4 Configure EAP
>>
>>     - add root.ca and services.ca to certificate store
>>
>>     ```bash
>>     cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/
>>     cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/
>>     update-ca-certificates
>>     ```
>>
>>     - add radius cert and key
>>
>>     ```bash
>>     cp /home/dcadmin/service.radius.key
>>     /etc/freeradius/3.0/certs/service.radius.key
>>     cp /home/dcadmin/service.radius.crt
>>     /etc/freeradius/3.0/certs/service.radius.crt
>>
>>     chmod 640 /etc/freeradius/3.0/certs/service.radius.*
>>     chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.*
>>     ```
>>
>>     - configure eap module to use peap per default
>>
>>     ```
>>     # /etc/freeradius/3.0/mods-available/eap
>>     default_eap_type = peap
>>
>>     #private_key_password = whatever
>>     private_key_file = ${certdir}/service.radius.key
>>     certificate_file = ${certdir}/service.radius.crt
>>
>>     tls_min_version = "1.2"
>>
>>     cache: enable = yes
>>     cache: name = “<somename>.radius"
>>     cache: persist_dir = "${logdir}/tlscache"
>>
>>     peap: copy_request_to_tunnel = yes
>>     ```
>>
>>     ### 4.5 Configure Clients
>>
>>     - add client for UniFi
>>
>>     ```
>>     # /etc/freeradius/3.0/clients.conf
>>     client unifi {
>>     ipaddr = 10.0.1.0/24
>>     secret = ***
>>     }
>>     ```
>>
>>     ### 4.6 Configure Authorization
>>
>>     - devices/user via EAP
>>
>>     ```
>>     # /etc/freeradius/3.0/sites-enabled/inner-tunnel
>>     post-auth {
>>     if (!(Ldap-Group == “SOMEGROUP")) {
>>     reject
>>     }
>>     ```
>>
>>     ### 4.7 Finish
>>
>>     ```bash
>>     service freeradius restart
>>     ```
>>
>>>     On Thursday, Apr 06, 2023 at 9:46 AM, Matthias Kühne | Ellerhold
>>>     Aktiengesellschaft via samba <samba at lists.samba.org
>>>     (mailto:samba at lists.samba.org)> wrote:
>>>     Hello Tim, Hello samba-people,
>>>
>>>     is there an uptodate guide for authenticating via freeradius
>>>     somewhere?
>>>
>>>     I have some Ubiquiti APs plus a Cloud Key and I want to authenticate
>>>     WLAN clients via WPA2-Enterprise instead of a (shared) PSK.
>>>
>>>     It seems like
>>>     https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>>>     is missing some steps (basic setup of freeradius).
>>>
>>>     Can you write up some of your findings please?
>>>
>>>     Thanks and happy holidays,
>>>     Matthias.
>>>
>>>     Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba:
>>>>     Dear All,
>>>>
>>>>     Well, this is very embarrassing....
>>>>
>>>>     It seems that running 'smbcontrol all reload-config' isn't
>>>>     sufficient for reloading the ntlm config parameters.
>>>>
>>>>     I tried restarting the whole samba service on the DC my FR box
>>>>     was authenticating against (systemctl restart sernet-samba-ad)
>>>>     and my test laptop is now connected to the network on the
>>>>     correct VLAN.
>>>>
>>>>     I apologise for wasting everyone's time - now I'll get back to
>>>>     cleaning up all the config files and making sure BYOD still
>>>>     works etc.
>>>>
>>>>     Thank you,
>>>>
>>>>     Tim
>>>     --
>>>     Senior Webentwickler
>>>     Datenschutzbeauftragter
>>>
>>>     Ellerhold Aktiengesellschaft
>>>     Friedrich-List-Str. 4
>>>     01445 Radebeul
>>>
>>>     Telefon: +49 (0) 351 83933-61
>>>     Web: www.ellerhold.de
>>>     Facebook: www.facebook.com/ellerhold.gruppe
>>>     Instagram: www.instagram.com/ellerhold.gruppe
>>>     Twitter: https://twitter.com/EllerholdGruppe
>>>
>>>     Amtsgericht Dresden / HRB 23769
>>>     Vorstand: Stephan Ellerhold, Maximilian Ellerhold
>>>     Vorsitzender des Aufsichtsrates: Frank Ellerhold
>>>
>>>
>>>
>>>     ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche
>>>     Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein,
>>>     so bitten wir Sie um Mitteilung und um sofortiges löschen dieser
>>>     E-Mail und der Anlagen.
>>>
>>>     Unsere Hinweise zum Datenschutz finden Sie hier:
>>>     http://www.ellerhold.de/datenschutz/
>>>
>>>     This e-mail and its attachments are privileged and confidential.
>>>     If you are not the intended recipient, please notify us and
>>>     immediately delete this e-mail and its attachments.
>>>
>>>     You can find our privacy policy here:
>>>     http://www.ellerhold.de/datenschutz/
>>>
>>>
>>>     --
>>>     To unsubscribe from this list go to the following URL and read the
>>>     instructions: https://lists.samba.org/mailman/options/samba
>
>     -- 
>     Senior Webentwickler
>     Datenschutzbeauftragter
>
>     Ellerhold Aktiengesellschaft
>     Friedrich-List-Str. 4
>     01445 Radebeul
>
>     Telefon: +49 (0) 351 83933-61
>     Web: www.ellerhold.de
>     Facebook: www.facebook.com/ellerhold.gruppe
>     Instagram: www.instagram.com/ellerhold.gruppe
>     Twitter: https://twitter.com/EllerholdGruppe
>
>     Amtsgericht Dresden / HRB 23769
>     Vorstand: Stephan Ellerhold, Maximilian Ellerhold
>     Vorsitzender des Aufsichtsrates: Frank Ellerhold
>
>
>
>     ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche
>     Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein,
>     so bitten wir Sie um Mitteilung und um sofortiges löschen dieser
>     E-Mail und der Anlagen.
>
>     Unsere Hinweise zum Datenschutz finden Sie hier:
>     http://www.ellerhold.de/datenschutz/
>
>     This e-mail and its attachments are privileged and confidential.
>     If you are not the intended recipient, please notify us and
>     immediately delete this e-mail and its attachments.
>
>     You can find our privacy policy here:
>     http://www.ellerhold.de/datenschutz/
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web:www.ellerhold.de
Facebook:www.facebook.com/ellerhold.gruppe
Instagram:www.instagram.com/ellerhold.gruppe
Twitter:https://twitter.com/EllerholdGruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold

---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/