[Samba] Fwd: ntlm_auth and freeradius
Kees van Vloten
keesvanvloten at gmail.com
Wed Apr 12 11:30:51 UTC 2023
On 12-04-2023 13:27, Matthias Kühne | Ellerhold Aktiengesellschaft via
samba wrote:
> Hi Alexander,
>
> I'm terribly sorry. We didnt have the "ntlm auth" parameter configured
> on the DCs at all. I added it and it just works.
It is better to set it to:
ntlm auth = mschapv2-and-ntlmv2-only
>
> Thanks for your help.
>
> Now I just need to figure out how I can make WLAN-specific LDAP-Group
> authentication.
>
> e. g. production WLAN needs LDAP group "wlan_production" and management
> WLAN needs the "wlan_management" group.
>
> I guess post_auth may be the correct place for that.
>
> You've helped tremendously, thanks again!
>
> Am 12.04.23 um 13:20 schrieb Alexander Harm || ApfelQ:
>> Hi Matthias,
>>
>> we’re using Debian Bullseye with the backports repo. So version is a
>> mixture of
>>
>> - Samba version 4.17.3-Debian
>> - Samba version 4.17.7-Debian
>>
>> We’ve installed it directly on the DC’s as well.
>>
>> In my opinion using "ntlm auth = yes” should be fine.
>>
>> Did you try using a simple RADIUS secret? In my experience long
>> secrets or ones containing special characters don’t work very well. I
>> would use alphanumerical only and no longer than 16 chars.
>>
>> We successfully use it to authenticate UniFi clients and IKEv2
>> roadwarriors (using OPNsense).
>>
>> I believe you set
>>
>> lanman auth = yes
>>
>> as well, right?
>>
>> Does Samba give you anything in the logs? That way you might be able
>> to narrow it down…
>>
>> Alexander
>>
>> On Wednesday, Apr 12, 2023 at 12:21 PM, Matthias Kühne | Ellerhold
>> Aktiengesellschaft via samba <samba at lists.samba.org> wrote:
>> Hello Alexander,
>>
>> thanks Alexander for these configuration snippets.
>>
>> Which version of Samba are you using? Is this on debian bullseye?
>> Is the
>> FreeRADIUS server installed on a DC or on a Domain Member? (I just
>> tested the latter).
>>
>> is "ntlm auth = yes" OK for the DCs and the domain member or does it
>> have to be "mschapv2-and-ntlmv2-only" for all servers (DCs +
>> Member)? It
>> looks like "yes" is broader and it should work? Sadly we need
>> "yes" for
>> other applications...
>>
>> Im sad to say that I cant get it to work. Neither "radtest" nor my
>> Ubiquity APs...
>>
>> I always get
>>
>> (3) mschap: ERROR: When trying to update a password, this return
>> status
>> indicates that the value provided as the current password is not
>> correct. [0xC000006A]
>> (3) mschap: ERROR: MS-CHAP2-Response is incorrect
>>
>> Similar error while using "ntlm_auth" instead of the direct winbind
>> connections.
>>
>> Using ntlm_auth with --username and --password works. Using ntlm_auth
>> with --challenge results in the same error message above.
>>
>> Any help would be much appreciated, otherwise we're going to
>> switch to
>> SQL or file based auth (with cleartext password *shudder*).
>>
>> Thanks and have a nice day, Matthias.
>>
>> Am 06.04.23 um 09:56 schrieb Alexander Harm || ApfelQ via samba:
>>> I can share my notes, we authenticate UniFi clients via
>>> Freeradius against Samba AD. We also check group membership which
>>> you might or might not need:
>>>
>>> ## 4 FreeRADIUS
>>>
>>> ### 4.1 Basics
>>>
>>> ```bash
>>> apt install freeradius freeradius-ldap freeradius-utils
>>>
>>> # create new DH-params
>>> openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048
>>> ```
>>>
>>> ### 4.2 Configure Authentication
>>>
>>> - modify mschap to use winbind, uncomment the following lines
>>>
>>> ```
>>> # /etc/freeradius/3.0/mods-available/mschap
>>> require_encryption = yes
>>> require_strong = yes
>>> winbind_username = "%{mschap:User-Name}"
>>> winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}"
>>> winbind_retry_with_normalised_username = yes
>>> ```
>>>
>>> - add to global section in samba conf
>>>
>>> ```
>>> # /etc/samba/smb.conf
>>> ntlm auth = mschapv2-and-ntlmv2-only
>>> ```
>>>
>>> - fix perms and restart
>>>
>>> ```bash
>>> usermod -a -G winbindd_priv freerad
>>> service freeradius restart
>>> service samba-ad-dc restart
>>> ```
>>>
>>> ### 4.3 Configure LDAP (group information)
>>>
>>> - enable ldap
>>>
>>> ```bash
>>> cd /etc/freeradius/3.0/mods-enabled
>>> ln -s ../mods-available/ldap ldap
>>> chown -h freerad:freerad ldap
>>> ```
>>>
>>> - modify module ldap to retrieve group information
>>>
>>> ```
>>> # /etc/freeradius/3.0/mods-available/ldap
>>> server = '10.0.1.250'
>>> server = '10.0.1.251'
>>> identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com'
>>> password = ***
>>> base_dn = 'cn=users,dc=ds,dc=example,dc=com'
>>> user: filter =
>>> "(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))"
>>> group: filter = "(objectClasse=group)"
>>> group: membership_filter =
>>> "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
>>> start_tls = yes
>>> ca_file = /etc/ssl/certs/ca-certificates.crt
>>> ```
>>>
>>> ### 4.4 Configure EAP
>>>
>>> - add root.ca and services.ca to certificate store
>>>
>>> ```bash
>>> cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/
>>> cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/
>>> update-ca-certificates
>>> ```
>>>
>>> - add radius cert and key
>>>
>>> ```bash
>>> cp /home/dcadmin/service.radius.key
>>> /etc/freeradius/3.0/certs/service.radius.key
>>> cp /home/dcadmin/service.radius.crt
>>> /etc/freeradius/3.0/certs/service.radius.crt
>>>
>>> chmod 640 /etc/freeradius/3.0/certs/service.radius.*
>>> chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.*
>>> ```
>>>
>>> - configure eap module to use peap per default
>>>
>>> ```
>>> # /etc/freeradius/3.0/mods-available/eap
>>> default_eap_type = peap
>>>
>>> #private_key_password = whatever
>>> private_key_file = ${certdir}/service.radius.key
>>> certificate_file = ${certdir}/service.radius.crt
>>>
>>> tls_min_version = "1.2"
>>>
>>> cache: enable = yes
>>> cache: name = “<somename>.radius"
>>> cache: persist_dir = "${logdir}/tlscache"
>>>
>>> peap: copy_request_to_tunnel = yes
>>> ```
>>>
>>> ### 4.5 Configure Clients
>>>
>>> - add client for UniFi
>>>
>>> ```
>>> # /etc/freeradius/3.0/clients.conf
>>> client unifi {
>>> ipaddr = 10.0.1.0/24
>>> secret = ***
>>> }
>>> ```
>>>
>>> ### 4.6 Configure Authorization
>>>
>>> - devices/user via EAP
>>>
>>> ```
>>> # /etc/freeradius/3.0/sites-enabled/inner-tunnel
>>> post-auth {
>>> if (!(Ldap-Group == “SOMEGROUP")) {
>>> reject
>>> }
>>> ```
>>>
>>> ### 4.7 Finish
>>>
>>> ```bash
>>> service freeradius restart
>>> ```
>>>
>>>> On Thursday, Apr 06, 2023 at 9:46 AM, Matthias Kühne | Ellerhold
>>>> Aktiengesellschaft via samba <samba at lists.samba.org
>>>> (mailto:samba at lists.samba.org)> wrote:
>>>> Hello Tim, Hello samba-people,
>>>>
>>>> is there an uptodate guide for authenticating via freeradius
>>>> somewhere?
>>>>
>>>> I have some Ubiquiti APs plus a Cloud Key and I want to authenticate
>>>> WLAN clients via WPA2-Enterprise instead of a (shared) PSK.
>>>>
>>>> It seems like
>>>> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>>>> is missing some steps (basic setup of freeradius).
>>>>
>>>> Can you write up some of your findings please?
>>>>
>>>> Thanks and happy holidays,
>>>> Matthias.
>>>>
>>>> Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba:
>>>>> Dear All,
>>>>>
>>>>> Well, this is very embarrassing....
>>>>>
>>>>> It seems that running 'smbcontrol all reload-config' isn't
>>>>> sufficient for reloading the ntlm config parameters.
>>>>>
>>>>> I tried restarting the whole samba service on the DC my FR box
>>>>> was authenticating against (systemctl restart sernet-samba-ad)
>>>>> and my test laptop is now connected to the network on the
>>>>> correct VLAN.
>>>>>
>>>>> I apologise for wasting everyone's time - now I'll get back to
>>>>> cleaning up all the config files and making sure BYOD still
>>>>> works etc.
>>>>>
>>>>> Thank you,
>>>>>
>>>>> Tim
>>>> --
>>>> Senior Webentwickler
>>>> Datenschutzbeauftragter
>>>>
>>>> Ellerhold Aktiengesellschaft
>>>> Friedrich-List-Str. 4
>>>> 01445 Radebeul
>>>>
>>>> Telefon: +49 (0) 351 83933-61
>>>> Web: www.ellerhold.de
>>>> Facebook: www.facebook.com/ellerhold.gruppe
>>>> Instagram: www.instagram.com/ellerhold.gruppe
>>>> Twitter: https://twitter.com/EllerholdGruppe
>>>>
>>>> Amtsgericht Dresden / HRB 23769
>>>> Vorstand: Stephan Ellerhold, Maximilian Ellerhold
>>>> Vorsitzender des Aufsichtsrates: Frank Ellerhold
>>>>
>>>>
>>>>
>>>> ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche
>>>> Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein,
>>>> so bitten wir Sie um Mitteilung und um sofortiges löschen dieser
>>>> E-Mail und der Anlagen.
>>>>
>>>> Unsere Hinweise zum Datenschutz finden Sie hier:
>>>> http://www.ellerhold.de/datenschutz/
>>>>
>>>> This e-mail and its attachments are privileged and confidential.
>>>> If you are not the intended recipient, please notify us and
>>>> immediately delete this e-mail and its attachments.
>>>>
>>>> You can find our privacy policy here:
>>>> http://www.ellerhold.de/datenschutz/
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>> --
>> Senior Webentwickler
>> Datenschutzbeauftragter
>>
>> Ellerhold Aktiengesellschaft
>> Friedrich-List-Str. 4
>> 01445 Radebeul
>>
>> Telefon: +49 (0) 351 83933-61
>> Web: www.ellerhold.de
>> Facebook: www.facebook.com/ellerhold.gruppe
>> Instagram: www.instagram.com/ellerhold.gruppe
>> Twitter: https://twitter.com/EllerholdGruppe
>>
>> Amtsgericht Dresden / HRB 23769
>> Vorstand: Stephan Ellerhold, Maximilian Ellerhold
>> Vorsitzender des Aufsichtsrates: Frank Ellerhold
>>
>>
>>
>> ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche
>> Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein,
>> so bitten wir Sie um Mitteilung und um sofortiges löschen dieser
>> E-Mail und der Anlagen.
>>
>> Unsere Hinweise zum Datenschutz finden Sie hier:
>> http://www.ellerhold.de/datenschutz/
>>
>> This e-mail and its attachments are privileged and confidential.
>> If you are not the intended recipient, please notify us and
>> immediately delete this e-mail and its attachments.
>>
>> You can find our privacy policy here:
>> http://www.ellerhold.de/datenschutz/
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
More information about the samba
mailing list