Authenticating against Win2k8r2 without ntlm_auth
Hi, I'm using FreeRADIUS 2.1.7 on RHEL 5.6. My AD admins recently upgraded from Win2k3 to Win2k8r2. As a result, this broke compatibility with Samba 3.0.x--so I was forced to upgrade to Samba 3.5.x to resolve those issues. To further complicate things, I use Likewise Enterprise to provide AD integration--for compatibility with Samba 3.5.x, I had to upgrade from Likewise 5.x to 6.0. While Samba 3.5 and Likewise 6 fixed the problems authenticating against Win2k8r2, Likewise removed support for Samba/Winbind in their 6.x series product (they included full support for Samba/Winbind in their 5.x series product)--they now use their own libraries to provide "winbind" functionality. The result of this is that the Samba-included ntlm_auth no longer works (and Likewise doesn't provide a comparable replacement)--since my FreeRADIUS install was using ntlm_auth for AD authentication and authorization, it is no longer working. So I'm looking at alternate ways of authenticating against Win2k8r2. I was hoping to get some input from the list regarding this. The FreeRADIUS server is fully configured (via Likewise Enterprise) to authenticate against AD using Kerberos. Authorization is also provided by Likewise Enterprise through other libraries. Both authentication and authorization function properly at the OS level and it integrates well with PAM and anything that can use Kerberos for authentication--so you can do things like log into the server via SSH using AD credentials. I currently only use FreeRADIUS to provide access to VPN clients--the VPN server is a Cisco ASA. I am also working on a Cisco Aironet deployment that will use FreeRADIUS, though this hasn't been configured yet (I'm in the early stages of that deployment). I don't really care if authorization is local or via AD, but I would definitely like authentication to occur via AD. So barring ntlm_auth, is there a good/better/best way of connecting FreeRADIUS to AD? PAM? Kerberos? LDAP? ~ Tom
On Sun, Apr 24, 2011 at 6:48 AM, Thomas Smith <theitsmith@gmail.com> wrote:
I use Likewise Enterprise to provide AD integration
While Samba 3.5 and Likewise 6 fixed the problems authenticating against Win2k8r2, Likewise removed support for Samba/Winbind in their 6.x series product (they included full support for Samba/Winbind in their 5.x series product)--they now use their own libraries to provide "winbind" functionality. The result of this is that the Samba-included ntlm_auth no longer works (and Likewise doesn't provide a comparable replacement)--since my FreeRADIUS install was using ntlm_auth for AD authentication and authorization, it is no longer working.
So I'm looking at alternate ways of authenticating against Win2k8r2. I was hoping to get some input from the list regarding this.
Why not bypass Likewise? If another windows server is able to join the domain directly, then a Linux machine with samba can surely join the same domain without needing Likewise or some other third-party integration tool. -- Fajar
On Sat, Apr 23, 2011 at 5:32 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Sun, Apr 24, 2011 at 6:48 AM, Thomas Smith <theitsmith@gmail.com> wrote:
I use Likewise Enterprise to provide AD integration
While Samba 3.5 and Likewise 6 fixed the problems authenticating against Win2k8r2, Likewise removed support for Samba/Winbind in their 6.x series product (they included full support for Samba/Winbind in their 5.x series product)--they now use their own libraries to provide "winbind" functionality. The result of this is that the Samba-included ntlm_auth no longer works (and Likewise doesn't provide a comparable replacement)--since my FreeRADIUS install was using ntlm_auth for AD authentication and authorization, it is no longer working.
So I'm looking at alternate ways of authenticating against Win2k8r2. I was hoping to get some input from the list regarding this.
Why not bypass Likewise?
If another windows server is able to join the domain directly, then a Linux machine with samba can surely join the same domain without needing Likewise or some other third-party integration tool.
Yeah, the thought had occurred to me. :-) This would just mean turning up another server specifically for FR. I would also loose some of the management capabilities that Likewise provides. I was hoping to find another way before resorting to that.
On Sun, Apr 24, 2011 at 7:55 AM, Thomas Smith <theitsmith@gmail.com> wrote:
On Sat, Apr 23, 2011 at 5:32 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Sun, Apr 24, 2011 at 6:48 AM, Thomas Smith <theitsmith@gmail.com> wrote:
I use Likewise Enterprise to provide AD integration
So I'm looking at alternate ways of authenticating against Win2k8r2. I was hoping to get some input from the list regarding this.
Why not bypass Likewise?
If another windows server is able to join the domain directly, then a Linux machine with samba can surely join the same domain without needing Likewise or some other third-party integration tool.
Yeah, the thought had occurred to me. :-)
This would just mean turning up another server specifically for FR.
That shouldn't be a problem if you use virtualization (Xen/KVM/Virtualbox/Hyper-V/whatever). A small-medium instance (about 256M memory) should be enough.
I would also loose some of the management capabilities that Likewise provides. I was hoping to find another way before resorting to that.
IIRC you can also run IAS/NPS on Windows and setup FR to proxy request there. -- Fajar
On 04/24/2011 12:48 AM, Thomas Smith wrote:
While Samba 3.5 and Likewise 6 fixed the problems authenticating against Win2k8r2, Likewise removed support for Samba/Winbind in their 6.x series product (they included full support for Samba/Winbind in their 5.x series product)--they now use their own libraries to provide "winbind" functionality. The result of this is that the Samba-included ntlm_auth no longer works (and Likewise doesn't provide a comparable replacement)--since my FreeRADIUS install was using ntlm_auth for AD authentication and authorization, it is no longer working.
If you're using Samba/ntlm_auth, you're probably doing PEAP/MSCHAP, in which case you have precisely one option - continuing to use Samba/ntlm_auth. Neither kerberos nor LDAP against AD (nor any other method) can be used to process MSCHAP authentications. If Likewise are going to replace bits of the Samba stack, they should provide compatible bits.
Could we extend the AD schema with another accessible ntPassword hash, and thus use LDAP against AD for PEAP/MSCHAP? Schilling On Sun, Apr 24, 2011 at 4:33 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 04/24/2011 12:48 AM, Thomas Smith wrote:
While Samba 3.5 and Likewise 6 fixed the problems authenticating against Win2k8r2, Likewise removed support for Samba/Winbind in their 6.x series product (they included full support for Samba/Winbind in their 5.x series product)--they now use their own libraries to provide "winbind" functionality. The result of this is that the Samba-included ntlm_auth no longer works (and Likewise doesn't provide a comparable replacement)--since my FreeRADIUS install was using ntlm_auth for AD authentication and authorization, it is no longer working.
If you're using Samba/ntlm_auth, you're probably doing PEAP/MSCHAP, in which case you have precisely one option - continuing to use Samba/ntlm_auth.
Neither kerberos nor LDAP against AD (nor any other method) can be used to process MSCHAP authentications.
If Likewise are going to replace bits of the Samba stack, they should provide compatible bits. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 04/25/2011 02:44 PM, schilling wrote:
Could we extend the AD schema with another accessible ntPassword hash, and thus use LDAP against AD for PEAP/MSCHAP?
Yes, if you know everyones plaintext password. But if you do, you don't have this problem at all; you can just store Cleartext-Password in some secured SQL database and use that. In short: it's usually impractical.
On Sun, Apr 24, 2011 at 1:33 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 04/24/2011 12:48 AM, Thomas Smith wrote:
While Samba 3.5 and Likewise 6 fixed the problems authenticating against Win2k8r2, Likewise removed support for Samba/Winbind in their 6.x series product (they included full support for Samba/Winbind in their 5.x series product)--they now use their own libraries to provide "winbind" functionality. The result of this is that the Samba-included ntlm_auth no longer works (and Likewise doesn't provide a comparable replacement)--since my FreeRADIUS install was using ntlm_auth for AD authentication and authorization, it is no longer working.
If you're using Samba/ntlm_auth, you're probably doing PEAP/MSCHAP, in which case you have precisely one option - continuing to use Samba/ntlm_auth.
Neither kerberos nor LDAP against AD (nor any other method) can be used to process MSCHAP authentications.
If Likewise are going to replace bits of the Samba stack, they should provide compatible bits.
Yeah, that's exactly what I've been doing. I was hoping to find another method, but that doesn't sound promising. I brought this to Likewise' attention as soon as I noticed the issue. They are looking into it but haven't given me a time frame for a "fix", or even if there will provide one.
On 04/25/2011 07:33 PM, Thomas Smith wrote:
I brought this to Likewise' attention as soon as I noticed the issue. They are looking into it but haven't given me a time frame for a "fix", or even if there will provide one.
I'm not familiar with Likewise (nor do I have any desire to become so). But if they provide any development libraries or infrastructure, you may be able to implement the feature yourself. All "ntlm_auth" ends up doing is SamNetworkLogon RPC against the netlogon pipe of a domain controller. Minimally, they just need to provide you a binary (or you code one up) that calls that RPC using the challenge and ntresponse values (along with username/domain) and returns the NT key value. The other alternative would be to compile Samba into a separate directory tree, and configure it carefully - then join it to the domain as a separate "virtual" domain member, which is only used for running winbind and ntlm_auth. You might have problems with nmbd and binding to port 13x. But honestly: it would probably be easier to just run Samba on your FreeRadius servers, and forgo Likewise.
participants (4)
-
Fajar A. Nugraha -
Phil Mayers -
schilling -
Thomas Smith