[Samba] Fwd: ntlm_auth and freeradius
Alexander Harm || ApfelQ
alexander.harm at apfelq.com
Wed Apr 12 11:54:18 UTC 2023
I believe you need to utilize “called-station-id” in freeradius which should give you the ssid.
You could probably do something like
if (&Called-Station-Id && (&Called-Station-Id =~ /^[-0-9a-f]+:(.+)$/i)) {
if (“%{1}”) {
update request {
&Called-Station-SSID := “%{1}”
}
}
}
and then check if Called-Station-SSID and LDAP group membership align.
Code is untested.
Alexander
> On Wednesday, Apr 12, 2023 at 1:31 PM, Kees van Vloten via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote:
>
> On 12-04-2023 13:27, Matthias Kühne | Ellerhold Aktiengesellschaft via
> samba wrote:
> > Hi Alexander,
> >
> > I'm terribly sorry. We didnt have the "ntlm auth" parameter configured
> > on the DCs at all. I added it and it just works.
>
> It is better to set it to:
>
> ntlm auth = mschapv2-and-ntlmv2-only
> >
> > Thanks for your help.
> >
> > Now I just need to figure out how I can make WLAN-specific LDAP-Group
> > authentication.
> >
> > e. g. production WLAN needs LDAP group "wlan_production" and management
> > WLAN needs the "wlan_management" group.
> >
> > I guess post_auth may be the correct place for that.
> >
> > You've helped tremendously, thanks again!
> >
> > Am 12.04.23 um 13:20 schrieb Alexander Harm || ApfelQ:
> > > Hi Matthias,
> > >
> > > we’re using Debian Bullseye with the backports repo. So version is a
> > > mixture of
> > >
> > > - Samba version 4.17.3-Debian
> > > - Samba version 4.17.7-Debian
> > >
> > > We’ve installed it directly on the DC’s as well.
> > >
> > > In my opinion using "ntlm auth = yes” should be fine.
> > >
> > > Did you try using a simple RADIUS secret? In my experience long
> > > secrets or ones containing special characters don’t work very well. I
> > > would use alphanumerical only and no longer than 16 chars.
> > >
> > > We successfully use it to authenticate UniFi clients and IKEv2
> > > roadwarriors (using OPNsense).
> > >
> > > I believe you set
> > >
> > > lanman auth = yes
> > >
> > > as well, right?
> > >
> > > Does Samba give you anything in the logs? That way you might be able
> > > to narrow it down…
> > >
> > > Alexander
> > >
> > > On Wednesday, Apr 12, 2023 at 12:21 PM, Matthias Kühne | Ellerhold
> > > Aktiengesellschaft via samba <samba at lists.samba.org> wrote:
> > > Hello Alexander,
> > >
> > > thanks Alexander for these configuration snippets.
> > >
> > > Which version of Samba are you using? Is this on debian bullseye?
> > > Is the
> > > FreeRADIUS server installed on a DC or on a Domain Member? (I just
> > > tested the latter).
> > >
> > > is "ntlm auth = yes" OK for the DCs and the domain member or does it
> > > have to be "mschapv2-and-ntlmv2-only" for all servers (DCs +
> > > Member)? It
> > > looks like "yes" is broader and it should work? Sadly we need
> > > "yes" for
> > > other applications...
> > >
> > > Im sad to say that I cant get it to work. Neither "radtest" nor my
> > > Ubiquity APs...
> > >
> > > I always get
> > >
> > > (3) mschap: ERROR: When trying to update a password, this return
> > > status
> > > indicates that the value provided as the current password is not
> > > correct. [0xC000006A]
> > > (3) mschap: ERROR: MS-CHAP2-Response is incorrect
> > >
> > > Similar error while using "ntlm_auth" instead of the direct winbind
> > > connections.
> > >
> > > Using ntlm_auth with --username and --password works. Using ntlm_auth
> > > with --challenge results in the same error message above.
> > >
> > > Any help would be much appreciated, otherwise we're going to
> > > switch to
> > > SQL or file based auth (with cleartext password *shudder*).
> > >
> > > Thanks and have a nice day, Matthias.
> > >
> > > Am 06.04.23 um 09:56 schrieb Alexander Harm || ApfelQ via samba:
> > > > I can share my notes, we authenticate UniFi clients via
> > > > Freeradius against Samba AD. We also check group membership which
> > > > you might or might not need:
> > > >
> > > > ## 4 FreeRADIUS
> > > >
> > > > ### 4.1 Basics
> > > >
> > > > ```bash
> > > > apt install freeradius freeradius-ldap freeradius-utils
> > > >
> > > > # create new DH-params
> > > > openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048
> > > > ```
> > > >
> > > > ### 4.2 Configure Authentication
> > > >
> > > > - modify mschap to use winbind, uncomment the following lines
> > > >
> > > > ```
> > > > # /etc/freeradius/3.0/mods-available/mschap
> > > > require_encryption = yes
> > > > require_strong = yes
> > > > winbind_username = "%{mschap:User-Name}"
> > > > winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}"
> > > > winbind_retry_with_normalised_username = yes
> > > > ```
> > > >
> > > > - add to global section in samba conf
> > > >
> > > > ```
> > > > # /etc/samba/smb.conf
> > > > ntlm auth = mschapv2-and-ntlmv2-only
> > > > ```
> > > >
> > > > - fix perms and restart
> > > >
> > > > ```bash
> > > > usermod -a -G winbindd_priv freerad
> > > > service freeradius restart
> > > > service samba-ad-dc restart
> > > > ```
> > > >
> > > > ### 4.3 Configure LDAP (group information)
> > > >
> > > > - enable ldap
> > > >
> > > > ```bash
> > > > cd /etc/freeradius/3.0/mods-enabled
> > > > ln -s ../mods-available/ldap ldap
> > > > chown -h freerad:freerad ldap
> > > > ```
> > > >
> > > > - modify module ldap to retrieve group information
> > > >
> > > > ```
> > > > # /etc/freeradius/3.0/mods-available/ldap
> > > > server = '10.0.1.250'
> > > > server = '10.0.1.251'
> > > > identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com'
> > > > password = ***
> > > > base_dn = 'cn=users,dc=ds,dc=example,dc=com'
> > > > user: filter =
> > > > "(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))"
> > > > group: filter = "(objectClasse=group)"
> > > > group: membership_filter =
> > > > "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
> > > > start_tls = yes
> > > > ca_file = /etc/ssl/certs/ca-certificates.crt
> > > > ```
> > > >
> > > > ### 4.4 Configure EAP
> > > >
> > > > - add root.ca and services.ca to certificate store
> > > >
> > > > ```bash
> > > > cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/
> > > > cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/
> > > > update-ca-certificates
> > > > ```
> > > >
> > > > - add radius cert and key
> > > >
> > > > ```bash
> > > > cp /home/dcadmin/service.radius.key
> > > > /etc/freeradius/3.0/certs/service.radius.key
> > > > cp /home/dcadmin/service.radius.crt
> > > > /etc/freeradius/3.0/certs/service.radius.crt
> > > >
> > > > chmod 640 /etc/freeradius/3.0/certs/service.radius.*
> > > > chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.*
> > > > ```
> > > >
> > > > - configure eap module to use peap per default
> > > >
> > > > ```
> > > > # /etc/freeradius/3.0/mods-available/eap
> > > > default_eap_type = peap
> > > >
> > > > #private_key_password = whatever
> > > > private_key_file = ${certdir}/service.radius.key
> > > > certificate_file = ${certdir}/service.radius.crt
> > > >
> > > > tls_min_version = "1.2"
> > > >
> > > > cache: enable = yes
> > > > cache: name = “<somename>.radius"
> > > > cache: persist_dir = "${logdir}/tlscache"
> > > >
> > > > peap: copy_request_to_tunnel = yes
> > > > ```
> > > >
> > > > ### 4.5 Configure Clients
> > > >
> > > > - add client for UniFi
> > > >
> > > > ```
> > > > # /etc/freeradius/3.0/clients.conf
> > > > client unifi {
> > > > ipaddr = 10.0.1.0/24
> > > > secret = ***
> > > > }
> > > > ```
> > > >
> > > > ### 4.6 Configure Authorization
> > > >
> > > > - devices/user via EAP
> > > >
> > > > ```
> > > > # /etc/freeradius/3.0/sites-enabled/inner-tunnel
> > > > post-auth {
> > > > if (!(Ldap-Group == “SOMEGROUP")) {
> > > > reject
> > > > }
> > > > ```
> > > >
> > > > ### 4.7 Finish
> > > >
> > > > ```bash
> > > > service freeradius restart
> > > > ```
> > > >
> > > > > On Thursday, Apr 06, 2023 at 9:46 AM, Matthias Kühne | Ellerhold
> > > > > Aktiengesellschaft via samba <samba at lists.samba.org
> > > > > (mailto:samba at lists.samba.org)> wrote:
> > > > > Hello Tim, Hello samba-people,
> > > > >
> > > > > is there an uptodate guide for authenticating via freeradius
> > > > > somewhere?
> > > > >
> > > > > I have some Ubiquiti APs plus a Cloud Key and I want to authenticate
> > > > > WLAN clients via WPA2-Enterprise instead of a (shared) PSK.
> > > > >
> > > > > It seems like
> > > > > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
> > > > > is missing some steps (basic setup of freeradius).
> > > > >
> > > > > Can you write up some of your findings please?
> > > > >
> > > > > Thanks and happy holidays,
> > > > > Matthias.
> > > > >
> > > > > Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba:
> > > > > > Dear All,
> > > > > >
> > > > > > Well, this is very embarrassing....
> > > > > >
> > > > > > It seems that running 'smbcontrol all reload-config' isn't
> > > > > > sufficient for reloading the ntlm config parameters.
> > > > > >
> > > > > > I tried restarting the whole samba service on the DC my FR box
> > > > > > was authenticating against (systemctl restart sernet-samba-ad)
> > > > > > and my test laptop is now connected to the network on the
> > > > > > correct VLAN.
> > > > > >
> > > > > > I apologise for wasting everyone's time - now I'll get back to
> > > > > > cleaning up all the config files and making sure BYOD still
> > > > > > works etc.
> > > > > >
> > > > > > Thank you,
> > > > > >
> > > > > > Tim
> > > > > --
> > > > > Senior Webentwickler
> > > > > Datenschutzbeauftragter
> > > > >
> > > > > Ellerhold Aktiengesellschaft
> > > > > Friedrich-List-Str. 4
> > > > > 01445 Radebeul
> > > > >
> > > > > Telefon: +49 (0) 351 83933-61
> > > > > Web: www.ellerhold.de
> > > > > Facebook: www.facebook.com/ellerhold.gruppe
> > > > > Instagram: www.instagram.com/ellerhold.gruppe
> > > > > Twitter: https://twitter.com/EllerholdGruppe
> > > > >
> > > > > Amtsgericht Dresden / HRB 23769
> > > > > Vorstand: Stephan Ellerhold, Maximilian Ellerhold
> > > > > Vorsitzender des Aufsichtsrates: Frank Ellerhold
> > > > >
> > > > >
> > > > >
> > > > > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche
> > > > > Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein,
> > > > > so bitten wir Sie um Mitteilung und um sofortiges löschen dieser
> > > > > E-Mail und der Anlagen.
> > > > >
> > > > > Unsere Hinweise zum Datenschutz finden Sie hier:
> > > > > http://www.ellerhold.de/datenschutz/
> > > > >
> > > > > This e-mail and its attachments are privileged and confidential.
> > > > > If you are not the intended recipient, please notify us and
> > > > > immediately delete this e-mail and its attachments.
> > > > >
> > > > > You can find our privacy policy here:
> > > > > http://www.ellerhold.de/datenschutz/
> > > > >
> > > > >
> > > > > --
> > > > > To unsubscribe from this list go to the following URL and read the
> > > > > instructions: https://lists.samba.org/mailman/options/samba
> > > --
> > > Senior Webentwickler
> > > Datenschutzbeauftragter
> > >
> > > Ellerhold Aktiengesellschaft
> > > Friedrich-List-Str. 4
> > > 01445 Radebeul
> > >
> > > Telefon: +49 (0) 351 83933-61
> > > Web: www.ellerhold.de
> > > Facebook: www.facebook.com/ellerhold.gruppe
> > > Instagram: www.instagram.com/ellerhold.gruppe
> > > Twitter: https://twitter.com/EllerholdGruppe
> > >
> > > Amtsgericht Dresden / HRB 23769
> > > Vorstand: Stephan Ellerhold, Maximilian Ellerhold
> > > Vorsitzender des Aufsichtsrates: Frank Ellerhold
> > >
> > >
> > >
> > > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche
> > > Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein,
> > > so bitten wir Sie um Mitteilung und um sofortiges löschen dieser
> > > E-Mail und der Anlagen.
> > >
> > > Unsere Hinweise zum Datenschutz finden Sie hier:
> > > http://www.ellerhold.de/datenschutz/
> > >
> > > This e-mail and its attachments are privileged and confidential.
> > > If you are not the intended recipient, please notify us and
> > > immediately delete this e-mail and its attachments.
> > >
> > > You can find our privacy policy here:
> > > http://www.ellerhold.de/datenschutz/
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list