How to authenticate users against a Windoze AD server with krb5?
Hi list, I'm trying to authenticate users against a Windows AD server using the krb5 module... but due to missing documentation on how to do this, I'm stuck. When I try to get a Kerberos ticket using kinit on the radius machine, it works. But when I try to use the krb5 module, it always gives me a Reject... Is there anywhere a detailed howto available? Google didn't help me much... :( Cheers Arne -- Arne Götje (高盛華) <arne@linux.org.tw> PGP/GnuPG key: 1024D/685D1E8C Fingerprint: 2056 F6B7 DEA8 B478 311F 1C34 6E9F D06E 685D 1E8C Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.
I know what you mean about the lack of documentation for using Kerberos authentication with FreeRadius. I pieced together the correct method using the documentation from the distribution, emails in the archives of this mailing list and trial and error. I am authenticating with the SEAM process on Solaris 10 which is MIT Kerberos V. I installed FreeRadius on a machine running Solaris 9. FreeRadius defaults to using MIT Kerberos V but can be changed to use the Heimdal version instead. I didn't see any documentation that says that you can use an Active Directory for Kerberos authentication. On what operating system is FreeRadius installed? Is there an MIT Kerberos V or Heimdal Kerberos V installation on the same box? Did your compilation successfully build the rlm_krb5 libraries? When you start radiusd with the -X option do you see that it is actually using the rlm_krb5 module? At 03:15 AM 5/31/2005, you wrote:
Hi list,
I'm trying to authenticate users against a Windows AD server using the krb5 module... but due to missing documentation on how to do this, I'm stuck.
When I try to get a Kerberos ticket using kinit on the radius machine, it works. But when I try to use the krb5 module, it always gives me a Reject...
Is there anywhere a detailed howto available? Google didn't help me much... :(
Cheers Arne
-- Arne Götje (é«çè¯) <arne@linux.org.tw> PGP/GnuPG key: 1024D/685D1E8C Fingerprint: 2056 F6B7 DEA8 B478 311F 1C34 6E9F D06E 685D 1E8C Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Brother Kenneth Arnold System Administrator Information Technology Services Christian Brothers University (901) 321-4333
Arne =?utf-8?q?G=C3=B6tje?= (=?utf-8?q?=E9=AB=98=E7=9B=9B=E8=8F=AF?=)" <arne@linux.org.tw> wrote:
I'm trying to authenticate users against a Windows AD server using the krb5 module... but due to missing documentation on how to do this, I'm stuck.
The rlm_krb5 module takes a clear-text password from a RADIUS packet, and uses it to authenticate via kerberos. This may work against AD, but I don't think anyone has tried it.
When I try to get a Kerberos ticket using kinit on the radius machine, it works. But when I try to use the krb5 module, it always gives me a Reject...
Run the server in debugging mode, and post the output here. Alan DeKok.
On Wednesday 01 June 2005 01:08, Alan DeKok wrote:
The rlm_krb5 module takes a clear-text password from a RADIUS packet, and uses it to authenticate via kerberos. This may work against AD, but I don't think anyone has tried it.
Ouch! I think this answers my question... this method cannot work as the clear-text password is never supplied by the client. EAP-MD5 is used (802.1x). So it will only supply a MD5 hash... Can ntlm_auth handle MD5 hashes as passwords??? Any solution to this or am I forced to use a M$ compatible radius server instead? Cheers Arne -- Arne Götje (高盛華) <arne@linux.org.tw> PGP/GnuPG key: 1024D/685D1E8C Fingerprint: 2056 F6B7 DEA8 B478 311F 1C34 6E9F D06E 685D 1E8C Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.
"Arne =?utf-8?q?G=C3=B6tje?= (=?utf-8?q?=E9=AB=98=E7=9B=9B=E8=8F=AF?=)" <arne@linux.org.tw> wrote:
Can ntlm_auth handle MD5 hashes as passwords???
Nope.
Any solution to this or am I forced to use a M$ compatible radius server instead?
You're forced to use IAS. Nothing else does the right magic RPC call to get the clear-text password. And even with IAS, you'll have to store the passwords in AD using "reversible encryption" as they call it. Alan DeKok.
participants (3)
-
Alan DeKok -
Arne Götje (高盛華) -
Kenneth G. Arnold