[Samba] Fwd: ntlm_auth and freeradius
Alexander Harm || ApfelQ
alexander.harm at apfelq.com
Wed Apr 12 11:31:32 UTC 2023
Hi,
in my notes I do exactly that, no? The only thing you have to add is the distinction between the two WLANs and yes, it is done in post-auth.
Alexander
> On Wednesday, Apr 12, 2023 at 1:27 PM, Matthias Kühne | Ellerhold Aktiengesellschaft via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote:
> Hi Alexander,
>
> I'm terribly sorry. We didnt have the "ntlm auth" parameter configured
> on the DCs at all. I added it and it just works.
>
> Thanks for your help.
>
> Now I just need to figure out how I can make WLAN-specific LDAP-Group
> authentication.
>
> e. g. production WLAN needs LDAP group "wlan_production" and management
> WLAN needs the "wlan_management" group.
>
> I guess post_auth may be the correct place for that.
>
> You've helped tremendously, thanks again!
>
> Am 12.04.23 um 13:20 schrieb Alexander Harm || ApfelQ:
> > Hi Matthias,
> >
> > we’re using Debian Bullseye with the backports repo. So version is a
> > mixture of
> >
> > - Samba version 4.17.3-Debian
> > - Samba version 4.17.7-Debian
> >
> > We’ve installed it directly on the DC’s as well.
> >
> > In my opinion using "ntlm auth = yes” should be fine.
> >
> > Did you try using a simple RADIUS secret? In my experience long
> > secrets or ones containing special characters don’t work very well. I
> > would use alphanumerical only and no longer than 16 chars.
> >
> > We successfully use it to authenticate UniFi clients and IKEv2
> > roadwarriors (using OPNsense).
> >
> > I believe you set
> >
> > lanman auth = yes
> >
> > as well, right?
> >
> > Does Samba give you anything in the logs? That way you might be able
> > to narrow it down…
> >
> > Alexander
> >
> > On Wednesday, Apr 12, 2023 at 12:21 PM, Matthias Kühne | Ellerhold
> > Aktiengesellschaft via samba <samba at lists.samba.org> wrote:
> > Hello Alexander,
> >
> > thanks Alexander for these configuration snippets.
> >
> > Which version of Samba are you using? Is this on debian bullseye?
> > Is the
> > FreeRADIUS server installed on a DC or on a Domain Member? (I just
> > tested the latter).
> >
> > is "ntlm auth = yes" OK for the DCs and the domain member or does it
> > have to be "mschapv2-and-ntlmv2-only" for all servers (DCs +
> > Member)? It
> > looks like "yes" is broader and it should work? Sadly we need
> > "yes" for
> > other applications...
> >
> > Im sad to say that I cant get it to work. Neither "radtest" nor my
> > Ubiquity APs...
> >
> > I always get
> >
> > (3) mschap: ERROR: When trying to update a password, this return
> > status
> > indicates that the value provided as the current password is not
> > correct. [0xC000006A]
> > (3) mschap: ERROR: MS-CHAP2-Response is incorrect
> >
> > Similar error while using "ntlm_auth" instead of the direct winbind
> > connections.
> >
> > Using ntlm_auth with --username and --password works. Using ntlm_auth
> > with --challenge results in the same error message above.
> >
> > Any help would be much appreciated, otherwise we're going to
> > switch to
> > SQL or file based auth (with cleartext password *shudder*).
> >
> > Thanks and have a nice day, Matthias.
> >
> > Am 06.04.23 um 09:56 schrieb Alexander Harm || ApfelQ via samba:
> > > I can share my notes, we authenticate UniFi clients via
> > > Freeradius against Samba AD. We also check group membership which
> > > you might or might not need:
> > >
> > > ## 4 FreeRADIUS
> > >
> > > ### 4.1 Basics
> > >
> > > ```bash
> > > apt install freeradius freeradius-ldap freeradius-utils
> > >
> > > # create new DH-params
> > > openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048
> > > ```
> > >
> > > ### 4.2 Configure Authentication
> > >
> > > - modify mschap to use winbind, uncomment the following lines
> > >
> > > ```
> > > # /etc/freeradius/3.0/mods-available/mschap
> > > require_encryption = yes
> > > require_strong = yes
> > > winbind_username = "%{mschap:User-Name}"
> > > winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}"
> > > winbind_retry_with_normalised_username = yes
> > > ```
> > >
> > > - add to global section in samba conf
> > >
> > > ```
> > > # /etc/samba/smb.conf
> > > ntlm auth = mschapv2-and-ntlmv2-only
> > > ```
> > >
> > > - fix perms and restart
> > >
> > > ```bash
> > > usermod -a -G winbindd_priv freerad
> > > service freeradius restart
> > > service samba-ad-dc restart
> > > ```
> > >
> > > ### 4.3 Configure LDAP (group information)
> > >
> > > - enable ldap
> > >
> > > ```bash
> > > cd /etc/freeradius/3.0/mods-enabled
> > > ln -s ../mods-available/ldap ldap
> > > chown -h freerad:freerad ldap
> > > ```
> > >
> > > - modify module ldap to retrieve group information
> > >
> > > ```
> > > # /etc/freeradius/3.0/mods-available/ldap
> > > server = '10.0.1.250'
> > > server = '10.0.1.251'
> > > identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com'
> > > password = ***
> > > base_dn = 'cn=users,dc=ds,dc=example,dc=com'
> > > user: filter =
> > > "(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))"
> > > group: filter = "(objectClasse=group)"
> > > group: membership_filter =
> > > "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
> > > start_tls = yes
> > > ca_file = /etc/ssl/certs/ca-certificates.crt
> > > ```
> > >
> > > ### 4.4 Configure EAP
> > >
> > > - add root.ca and services.ca to certificate store
> > >
> > > ```bash
> > > cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/
> > > cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/
> > > update-ca-certificates
> > > ```
> > >
> > > - add radius cert and key
> > >
> > > ```bash
> > > cp /home/dcadmin/service.radius.key
> > > /etc/freeradius/3.0/certs/service.radius.key
> > > cp /home/dcadmin/service.radius.crt
> > > /etc/freeradius/3.0/certs/service.radius.crt
> > >
> > > chmod 640 /etc/freeradius/3.0/certs/service.radius.*
> > > chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.*
> > > ```
> > >
> > > - configure eap module to use peap per default
> > >
> > > ```
> > > # /etc/freeradius/3.0/mods-available/eap
> > > default_eap_type = peap
> > >
> > > #private_key_password = whatever
> > > private_key_file = ${certdir}/service.radius.key
> > > certificate_file = ${certdir}/service.radius.crt
> > >
> > > tls_min_version = "1.2"
> > >
> > > cache: enable = yes
> > > cache: name = “<somename>.radius"
> > > cache: persist_dir = "${logdir}/tlscache"
> > >
> > > peap: copy_request_to_tunnel = yes
> > > ```
> > >
> > > ### 4.5 Configure Clients
> > >
> > > - add client for UniFi
> > >
> > > ```
> > > # /etc/freeradius/3.0/clients.conf
> > > client unifi {
> > > ipaddr = 10.0.1.0/24
> > > secret = ***
> > > }
> > > ```
> > >
> > > ### 4.6 Configure Authorization
> > >
> > > - devices/user via EAP
> > >
> > > ```
> > > # /etc/freeradius/3.0/sites-enabled/inner-tunnel
> > > post-auth {
> > > if (!(Ldap-Group == “SOMEGROUP")) {
> > > reject
> > > }
> > > ```
> > >
> > > ### 4.7 Finish
> > >
> > > ```bash
> > > service freeradius restart
> > > ```
> > >
> > > > On Thursday, Apr 06, 2023 at 9:46 AM, Matthias Kühne | Ellerhold
> > > > Aktiengesellschaft via samba <samba at lists.samba.org
> > > > (mailto:samba at lists.samba.org)> wrote:
> > > > Hello Tim, Hello samba-people,
> > > >
> > > > is there an uptodate guide for authenticating via freeradius
> > > > somewhere?
> > > >
> > > > I have some Ubiquiti APs plus a Cloud Key and I want to authenticate
> > > > WLAN clients via WPA2-Enterprise instead of a (shared) PSK.
> > > >
> > > > It seems like
> > > > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
> > > > is missing some steps (basic setup of freeradius).
> > > >
> > > > Can you write up some of your findings please?
> > > >
> > > > Thanks and happy holidays,
> > > > Matthias.
> > > >
> > > > Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba:
> > > > > Dear All,
> > > > >
> > > > > Well, this is very embarrassing....
> > > > >
> > > > > It seems that running 'smbcontrol all reload-config' isn't
> > > > > sufficient for reloading the ntlm config parameters.
> > > > >
> > > > > I tried restarting the whole samba service on the DC my FR box
> > > > > was authenticating against (systemctl restart sernet-samba-ad)
> > > > > and my test laptop is now connected to the network on the
> > > > > correct VLAN.
> > > > >
> > > > > I apologise for wasting everyone's time - now I'll get back to
> > > > > cleaning up all the config files and making sure BYOD still
> > > > > works etc.
> > > > >
> > > > > Thank you,
> > > > >
> > > > > Tim
> > > > --
> > > > Senior Webentwickler
> > > > Datenschutzbeauftragter
> > > >
> > > > Ellerhold Aktiengesellschaft
> > > > Friedrich-List-Str. 4
> > > > 01445 Radebeul
> > > >
> > > > Telefon: +49 (0) 351 83933-61
> > > > Web: www.ellerhold.de
> > > > Facebook: www.facebook.com/ellerhold.gruppe
> > > > Instagram: www.instagram.com/ellerhold.gruppe
> > > > Twitter: https://twitter.com/EllerholdGruppe
> > > >
> > > > Amtsgericht Dresden / HRB 23769
> > > > Vorstand: Stephan Ellerhold, Maximilian Ellerhold
> > > > Vorsitzender des Aufsichtsrates: Frank Ellerhold
> > > >
> > > >
> > > >
> > > > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche
> > > > Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein,
> > > > so bitten wir Sie um Mitteilung und um sofortiges löschen dieser
> > > > E-Mail und der Anlagen.
> > > >
> > > > Unsere Hinweise zum Datenschutz finden Sie hier:
> > > > http://www.ellerhold.de/datenschutz/
> > > >
> > > > This e-mail and its attachments are privileged and confidential.
> > > > If you are not the intended recipient, please notify us and
> > > > immediately delete this e-mail and its attachments.
> > > >
> > > > You can find our privacy policy here:
> > > > http://www.ellerhold.de/datenschutz/
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions: https://lists.samba.org/mailman/options/samba
> >
> > --
> > Senior Webentwickler
> > Datenschutzbeauftragter
> >
> > Ellerhold Aktiengesellschaft
> > Friedrich-List-Str. 4
> > 01445 Radebeul
> >
> > Telefon: +49 (0) 351 83933-61
> > Web: www.ellerhold.de
> > Facebook: www.facebook.com/ellerhold.gruppe
> > Instagram: www.instagram.com/ellerhold.gruppe
> > Twitter: https://twitter.com/EllerholdGruppe
> >
> > Amtsgericht Dresden / HRB 23769
> > Vorstand: Stephan Ellerhold, Maximilian Ellerhold
> > Vorsitzender des Aufsichtsrates: Frank Ellerhold
> >
> >
> >
> > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche
> > Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein,
> > so bitten wir Sie um Mitteilung und um sofortiges löschen dieser
> > E-Mail und der Anlagen.
> >
> > Unsere Hinweise zum Datenschutz finden Sie hier:
> > http://www.ellerhold.de/datenschutz/
> >
> > This e-mail and its attachments are privileged and confidential.
> > If you are not the intended recipient, please notify us and
> > immediately delete this e-mail and its attachments.
> >
> > You can find our privacy policy here:
> > http://www.ellerhold.de/datenschutz/
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> --
> Senior Webentwickler
> Datenschutzbeauftragter
>
> Ellerhold Aktiengesellschaft
> Friedrich-List-Str. 4
> 01445 Radebeul
>
> Telefon: +49 (0) 351 83933-61
> Web:www.ellerhold.de
> Facebook:www.facebook.com/ellerhold.gruppe
> Instagram:www.instagram.com/ellerhold.gruppe
> Twitter:https://twitter.com/EllerholdGruppe
>
> Amtsgericht Dresden / HRB 23769
> Vorstand: Stephan Ellerhold, Maximilian Ellerhold
> Vorsitzender des Aufsichtsrates: Frank Ellerhold
>
>
> ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.
>
> Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/
>
> This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.
>
> You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list