Hello all, apologies for this - I'm having an issue where I have a single Kerberos realm (published as the RADIUS realm) but multiple AD containers behind that, within which the users sit. The RADIUS/Kerberos server is joined to the domain and authentication via ntlm_auth works for both containers (if one specifies the container explicitly) # ntlm_auth --username=testusera --domain=a.example.com Password: NT_STATUS_OK: The operation completed successfully. (0x0) # ntlm_auth --username=testuserb --domain=b.example.com Password: NT_STATUS_OK: The operation completed successfully. (0x0) # So: Kerberos/RADIUS realm = example.com; users are in containers a.example.com & b.example.com Can I use the krb5.conf to handle the users as "user@example.com" and automatically have it try both containers (i.e. a.example.com & b.example.com)? I'm surmising that I need to do this in the realms and/or domain_realm sections - but the documentation isn't making a whole lot of sense to me at this stage (could be related to a caffeine deficit) Thanks in advance Jason ******************************************************************************************************************** This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail
On Jan 17, 2019, at 4:26 AM, WAGHORN, Jason (NHS BORDERS) via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hello all, apologies for this - I'm having an issue where I have a single Kerberos realm (published as the RADIUS realm) but multiple AD containers behind that, within which the users sit. The RADIUS/Kerberos server is joined to the domain and authentication via ntlm_auth works for both containers (if one specifies the container explicitly)
AD doesn't handle multiple domains very well. i.e. if all of the domains are in the AD forest, it's OK. If you need to use different AD forests for different domains, it's hard.
# ntlm_auth --username=testusera --domain=a.example.com Password: NT_STATUS_OK: The operation completed successfully. (0x0) # ntlm_auth --username=testuserb --domain=b.example.com Password: NT_STATUS_OK: The operation completed successfully. (0x0) #
So: Kerberos/RADIUS realm = example.com; users are in containers a.example.com & b.example.com
Can I use the krb5.conf to handle the users as "user@example.com" and automatically have it try both containers (i.e. a.example.com & b.example.com)?
The "krb5" module in the server just connects to a kerberos server. It doesn't really know about domains. If you need to connect to 2 different kerberos servers, configure two krb5 modules. Then, select one or the other based on the domain.
I'm surmising that I need to do this in the realms and/or domain_realm sections - but the documentation isn't making a whole lot of sense to me at this stage (could be related to a caffeine deficit)
TBH, I'm not clear what you want. Why not just use ntlm_auth if that works? Alan DeKok.
Hi Here is what I'm trying to do: It's for a govroam RADIUS - locally it needs to authenticate against AD. 95% of the users are in one container, 5% in another. Ideal world I'd like 100% of users to be able to authenticate, I'd be delighted to get 95% working and move the other 5% to be in the same container... RADIUS realm = example.com AD domains = a.example.com & b.example.com If I use ntlm_auth from the command line of the RADIUS server and explicitly specify the domain a.example.com then authentication is successful. If I use ntlm_auth from the command line of the RADIUS server and don't specify the domain a.example.com then authentication is unsuccessful. If I use a radius client user@example.com and user is valid in AD domain a.example.com then FR returns (7) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (7) mschap: External script failed (7) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (7) mschap: ERROR: MS-CHAP2-Response is incorrect My supposition is that I'm not passing the correct AD domain to authenticate but I cannot fathom where I need to modify the config to make that translation. Cheers Jason Jason Waghorn Senior Infrastructure Engineer NHS Borders | IT Services | Huntlyburn Terrace | Borders General Hospital | Melrose | TD6 9BS direct: 01896 827 760 | ext: 27760 | email:j.waghorn1@nhs.net |j mobile: 0747 100 5116 -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+j.waghorn1=nhs.net@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 17 January 2019 14:08 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Kerberos realm vs NT domain On Jan 17, 2019, at 4:26 AM, WAGHORN, Jason (NHS BORDERS) via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hello all, apologies for this - I'm having an issue where I have a single Kerberos realm (published as the RADIUS realm) but multiple AD containers behind that, within which the users sit. The RADIUS/Kerberos server is joined to the domain and authentication via ntlm_auth works for both containers (if one specifies the container explicitly)
AD doesn't handle multiple domains very well. i.e. if all of the domains are in the AD forest, it's OK. If you need to use different AD forests for different domains, it's hard.
# ntlm_auth --username=testusera --domain=a.example.com Password: NT_STATUS_OK: The operation completed successfully. (0x0) # ntlm_auth --username=testuserb --domain=b.example.com Password: NT_STATUS_OK: The operation completed successfully. (0x0) #
So: Kerberos/RADIUS realm = example.com; users are in containers a.example.com & b.example.com
Can I use the krb5.conf to handle the users as "user@example.com" and automatically have it try both containers (i.e. a.example.com & b.example.com)?
The "krb5" module in the server just connects to a kerberos server. It doesn't really know about domains. If you need to connect to 2 different kerberos servers, configure two krb5 modules. Then, select one or the other based on the domain.
I'm surmising that I need to do this in the realms and/or domain_realm sections - but the documentation isn't making a whole lot of sense to me at this stage (could be related to a caffeine deficit)
TBH, I'm not clear what you want. Why not just use ntlm_auth if that works? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ******************************************************************************************************************** This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail
On Jan 17, 2019, at 9:56 AM, WAGHORN, Jason (NHS BORDERS) via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
It's for a govroam RADIUS - locally it needs to authenticate against AD. 95% of the users are in one container, 5% in another. Ideal world I'd like 100% of users to be able to authenticate, I'd be delighted to get 95% working and move the other 5% to be in the same container...
RADIUS realm = example.com AD domains = a.example.com & b.example.com
If I use ntlm_auth from the command line of the RADIUS server and explicitly specify the domain a.example.com then authentication is successful. If I use ntlm_auth from the command line of the RADIUS server and don't specify the domain a.example.com then authentication is unsuccessful.
If I use a radius client user@example.com and user is valid in AD domain a.example.com then FR returns
(7) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (7) mschap: External script failed (7) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (7) mschap: ERROR: MS-CHAP2-Response is incorrect
The short answer there is to fix AD so that it looks users up in the right domain... it should be able to do this.
My supposition is that I'm not passing the correct AD domain to authenticate but I cannot fathom where I need to modify the config to make that translation.
A better question is what is the "correct" AD domain? How do you know which user is in which domain? i.e. can *FreeRADIUS* tell which user is in which domain? If so, the configuration should be simple. If not, it gets a lot more complex. Alan DeKok.
Hi As I said - if I can get it working for the 95% then I can arrange the relocation of the 5% to the same AD container - that leaves the outstanding issue of making sure that it's attempting to authenticate against the correct AD container... which is the part I still cannot fathom. So - Kerberos/RADIUS realm is example.com, users are in a.example.com - everything I see looks like when user@example.com attempts to authenticate via RADIUS that it pushes that same user/example.com combination towards AD for authentication and not the desired user/a.example.com so it fails. I suppose I could republish the RADIUS realm to match the domain but I've couched it in terms of "example.com" because the realm is already embarrassingly long (and cumbersome for users to enter) and the container where the users live makes that even more embarrassingly long. Apologies if the terminology is incorrect - I am trying to learn here. Cheers Jason ******************************************************************************************************************** This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail
How about taking the username / realm and searching for them in AD using the fact it is an LDAP service... once you know the LDAP record it ought to be trivial to derive the 'username' that needs to be used to authenticate the session using the existing working method. Just an idea can't say it'll work for certain AD depends if enough information is in the AD record for the user. A. On 18/01/2019, 09:59, "Freeradius-Users on behalf of WAGHORN, Jason (NHS BORDERS) via Freeradius-Users" <freeradius-users-bounces+alister.winfield=sky.uk@lists.freeradius.org on behalf of freeradius-users@lists.freeradius.org> wrote: Hi As I said - if I can get it working for the 95% then I can arrange the relocation of the 5% to the same AD container - that leaves the outstanding issue of making sure that it's attempting to authenticate against the correct AD container... which is the part I still cannot fathom. So - Kerberos/RADIUS realm is example.com, users are in a.example.com - everything I see looks like when user@example.com attempts to authenticate via RADIUS that it pushes that same user/example.com combination towards AD for authentication and not the desired user/a.example.com so it fails. I suppose I could republish the RADIUS realm to match the domain but I've couched it in terms of "example.com" because the realm is already embarrassingly long (and cumbersome for users to enter) and the container where the users live makes that even more embarrassingly long. Apologies if the terminology is incorrect - I am trying to learn here. Cheers Jason ******************************************************************************************************************** This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -------------------------------------------------------------------- This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by sending them to phishing@sky.uk as attachments. Thank you -------------------------------------------------------------------- Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence. Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD
participants (3)
-
Alan DeKok -
WAGHORN, Jason (NHS BORDERS) -
Winfield, Alister