How to setup Freeradius in a Domain
p.mayers at imperial.ac.uk
Thu Jul 14 11:42:58 CEST 2011
On 14/07/11 08:45, Johan Meiring wrote:
> On 2011/07/13 06:51 PM, Phil Mayers wrote:
>> If you are using Samba as your domain controllers, then you have
>> access to
>> the SAM and can extract the LM/NT hash from whatever backend you use.
>> So you can just feed that info straight to FreeRADIUS. No need to use
>> ntlm_auth / samba membership - just dump the NT hashes somewhere
>> can get at them, or if you're using LDAP, point FreeRADIUS at that LDAP
>> server and make sure it can read the ntPassword attribute.
>> This is preferable to using ntlm_auth in fact.
> So the ntlm_auth "hack" is just because a Microsoft Domain
Point of clarity: It's not a hack. It's the same things windows does -
this is how IAS/NPS authenticates MS-CHAP. That's what the RPC call is
for, and they are core, documented Microsoft authenticator APIs.
> Controller/LDAP refuses to share the ntPassword attribute with anyone
> that does not look like Microsoft?
> Hopefully Samba4 changes that as it should have a copy of the AD database!
Personally I'm doubtful it will be useful for that many people. Think
about it: the argument goes as follows:
1. Samba 3 & ntlm_auth are too hard to set up / maintain
2. Therefore we'll install Samba 4, make it a domain controller so it
can replicate the SAM, and that will be much easier
Not a convincing argument, I feel. Even if you can convince your AD
admins to *permit* you to promote a Samba 4 to a DC role, I don't see
how it'll be any less hassle to run than a Samba 3 in a server role.
There are a small number of sites who may be able to use this route, but
for complete "ease of use", there's no ideal solution.
More information about the Freeradius-Users