On Jul 10, 2023, at 10:11 AM, BOUILLOUD Corentin <cbouilloud@systra.com> wrote:
I would like to use Kerberos instead of ntlm_auth to authenticate AD users with FreeRADIUS.
Does Kerberos support MS-CHAP? Does Kerberos supply a clear-text password to FreeRADIUS? The answer to both of those questions is "no".
I configured 'mschap' module to directly use winbind daemon directly and, If I understood samba documentation properly, winbindd can't authenticate users himself. It uses 'pam_winbind' module that we can configure to use Kerberos.
I don't think that's correct pam_winbind talks to the windbindd process. That process then talks to Samba, and then to AD. This is all documented: https://www.samba.org/samba/docs/current/man-html/pam_winbind.8.html pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon.
Could you confirm me that it is correct and/or possible in another way ?
You cannot use Kerberos to authenticate MS-CHAP. It's impossible.
https://www.samba.org/samba/docs/current/man-html/pam_winbind.8.html krb5_auth pam_winbind can authenticate using Kerberos when winbindd is talking to an Active Directory domain controller. Kerberos authentication must be enabled with this parameter.
That means the pam_windbind software can talk Kerberos to winbindd, which then sends the Kerberos data to AD. It doesn't mention MS-CHAP. Because it's impossible to use Kerberos to authenticate MS-CHAP. The mschap module documents what's possible. If you want to do MS-CHAP authentication with AD, use Samba and ntlm_auth, or winbind. As is documented in the mschap module configuration. Alan DeKok.