ntlm remotely ? - too much to...
... ask of a radius server? To authenticate with a non-local, a remote ntlm/winbind ? Too much? many thanks, L
On Fri, Jun 17, 2016 at 02:29:26PM +0100, lejeczek via Freeradius-Users wrote:
... ask of a radius server? To authenticate with a non-local, a remote ntlm/winbind ? Too much?
What are you tring to do? NTLM is usually remote (to an AD or Samba domain controller). Over the wire normally SMB from Samba on the FreeRADIUS server. If you install FreeRADIUS on the remote server then you could proxy the request instead. I'm sure there are other "ingenious" ways of getting the auth data over, if you wanted to do something weird. But it's probably not worth it. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 17/06/16 14:37, Matthew Newton wrote:
On Fri, Jun 17, 2016 at 02:29:26PM +0100, lejeczek via Freeradius-Users wrote:
... ask of a radius server? To authenticate with a non-local, a remote ntlm/winbind ? Too much? What are you tring to do? simply - radius server and no samba/winbind on the box. separate box A.radius => box B.smb/winbind.(AD joined) NTLM is usually remote (to an AD or Samba domain controller).
Over the wire normally SMB from Samba on the FreeRADIUS server.
If you install FreeRADIUS on the remote server then you could proxy the request instead.
I'm sure there are other "ingenious" ways of getting the auth data over, if you wanted to do something weird. But it's probably not worth it.
Matthew
On Fri, Jun 17, 2016 at 02:47:24PM +0100, lejeczek via Freeradius-Users wrote:
On 17/06/16 14:37, Matthew Newton wrote:
On Fri, Jun 17, 2016 at 02:29:26PM +0100, lejeczek via Freeradius-Users wrote:
... ask of a radius server? To authenticate with a non-local, a remote ntlm/winbind ? Too much? What are you tring to do? simply - radius server and no samba/winbind on the box. separate box A.radius => box B.smb/winbind.(AD joined)
a) put FreeRADIUS on box "B" and proxy. b) push Samba on box "A" and do it directly. c) Invent something that "a" or "b" will already do for you. (c) seems like a rather silly option to me, though probably not that hard with e.g. rlm_rest or similar. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Jun 17, 2016, at 9:29 AM, lejeczek via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
... ask of a radius server? To authenticate with a non-local, a remote ntlm/winbind ? Too much?
Don't use PAM. It's intended for applications to do user authentication... once. Maybe they've fixed it, but PAM used to leak memory like crazy when FreeRADIUS used it for repeated authentication. And whatever PAM can do for authentication... FreeRADIUS can do better. And simpler. And more controlled. PAM stands for "pluggable authentication modules". Well, FreeRADIUS is an authentication server. And FreeRADIUS has pluggable modules. And FreeRADIUS has "unlang', and a configuration which is infinitely more flexible than PAM. The only reason to use PAM is when you need to use a proprietary authentication plugin that is only supplied via PAM. And even then, it's only good for PAP authentication. PAM doesn't do CHAP, MS-CHAP, EAP, or any other authentication method. Don't use PAM. Alan DeKok.
On 06/17/2016 06:43 AM, Alan DeKok wrote:
On Jun 17, 2016, at 9:29 AM, lejeczek via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
... ask of a radius server? To authenticate with a non-local, a remote ntlm/winbind ? Too much? Don't use PAM. It's intended for applications to do user authentication... once.
Maybe they've fixed it, but PAM used to leak memory like crazy when FreeRADIUS used it for repeated authentication.
And whatever PAM can do for authentication... FreeRADIUS can do better. And simpler. And more controlled.
PAM stands for "pluggable authentication modules". Well, FreeRADIUS is an authentication server. And FreeRADIUS has pluggable modules. And FreeRADIUS has "unlang', and a configuration which is infinitely more flexible than PAM.
The only reason to use PAM is when you need to use a proprietary authentication plugin that is only supplied via PAM. And even then, it's only good for PAP authentication.
PAM doesn't do CHAP, MS-CHAP, EAP, or any other authentication method.
Don't use PAM.
I think you were answering my thread, based on context. I'm not sold on PAM, just surprised and slightly frustrated at the fact that (as of my Googling thus far) there doesn't appear to be a Perl module capable of handling MS-CHAP authentication (on the NAS side - we're already using rlm_perl to good effect on the radius server). I've got winbind running over PAP from the wiki example, and that'll just have to do for now.
participants (4)
-
Alan DeKok -
lejeczek -
Matthew Newton -
Mike Ely