FreeRadius integration with MS Active Directory

Rutger Beyen sylvester_rutger at hotmail.com
Thu Feb 14 22:14:08 CET 2008


Hello all,
 
I'm following the howto
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO to
integrate FreeRadius with Microsoft's AD. However, I'm experiencing some
troubles.
My disto is Debian 4. I had to install some packages, like krb5-kdc,
krb5-user and krb5-config, to have the file /etc/krb5.conf (It wasn't there
in the first place).
When I want to do a net join, I get a message saying that I have errors in
my krb5.conf file. I removed the lines "dns_lookup_realm = false" and
"dns_lookup_kdc = false" and then it worked.
At least I think it did. I got the message: joined "PROJECT" to realm
"PROJECT.LOCAL".
 
When I then wanted to test this using wbinfo, I get the error code
"NT_STATUS_NO_SUCH_USER" (should be normal according to the howto) and
another one: "NT_STATUS_ACCESS_DENIED" Could not authenticate user myuser
with challenge/response. A try with ntlm_auth is also negative
"NT_STATUS_NO_SUCH_USER".
 
Can somebody please help me with my problem? Am I overlooking something or
what am I doing wrong?
 
 
Thanks a million,
Rutger
 
 
 
Here are the 2 config files:
 
smb.conf

[global]
 
## Browsing/Identification ###
 
   workgroup = project
   server string = %h server
   dns proxy = no
 
#### Debugging/Accounting ####
 
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
 
####### Authentication #######
 
# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
   security = ads
 
# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
   encrypt passwords = true
 
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = tdbsam
 
   obey pam restrictions = yes
 
;   guest account = nobody
    invalid users = root
 
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
 
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
;   pam password change = no
 

############ Misc ############
 
# Most people will find that this option gives better performance.
# See smb.conf(5) and
/usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
# for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY
 
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/bash
   winbind use default domain = no
   password server = project-ad.project.local
   realm = project.local
 
 
#======================= Share Definitions =======================
 
[homes]
   comment = Home Directories
   browseable = no
 
# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
   writable = yes
 
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700
 
# Directory creation mask is set to 0700 for security reasons. If you want
to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700
 
# Restrict access to home directories 
# to the one of the authenticated user
# This might need tweaking when using external authentication schemes
   valid users = %S
 
# Un-comment the following and create the netlogon directory for Domain
Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no
 
krb5.conf
 
[logging]
default = FILE:/war/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm = PROJECT.LOCAL
# dns_lookup realm = false
# dns_lookup_kdc = false
 
# The following krb5.conf variables are only for MIT Kerberos.
 krb4_config = /etc/krb.conf
 krb4_realms = /etc/krb.realms
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
 

# The following libdefaults parameters are only for Heimdal Kerberos.
 v4_instance_resolve = false
 v4_name_convert = {
  host = {
   rcmd = host
   ftp = ftp
  }
  plain = {
   something = something-else
  }
 }
 fcc-mit-ticketflags = true
 
[realms]
 
 PROJECT.LOCAL = {
  kdc = project-ad.project.local:88
  admin_server = project-ad.project.local
  default_domain = project.local
 }
 
[domain_realm]
 .project.local = PROJECT.LOCAL
 project.local = PROJECT.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
 
[appdefaults]
pam = {
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false
}
 
[login]
 krb4_convert = true
 krb4_get_tickets = false
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080214/8a9f144b/attachment.html>


More information about the Freeradius-Users mailing list