How to? - use/configure winbind/ntlm_auth for Windows authentication
Hello, I'm trying to set up a FreeRadius solution for a Windows2k AD environnment. The FreeRadius-server is already running right. I can authenticate a testuser with Auth-Type := EAP (username and password stored as cleartext in the users file) Now I want to use FreeRadius to check username/password from the Active Directory Server when a user logs onto the computer. I checked the list already. Some say to use ntlm_auth and winbind, others LDAP, then samba... but nobody is able to explain how to get it working. Is it really as complicated? ntlm_auth seems very simple, returnig 1 if user/pwd is alright and 0 when not. But how can I test this from the command line? Where do I specify the address of the AD-server? When running ntlm_auth -- usage there are too much parameters that are unknown to me. Thanks in advance for any help! Pete _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Hi Pete,
look at the radiusd.conf file, there is a sample line for ntml_auth.
"man ntml_auth" will give you details on the parameters.
regards, Stéphane
Hi! Yes, that famous line! But I can't imagine that the configuration depends all on that single line. Here is my new state: I have configured Samba to join the Windows domain. This is working (with net rpc join..) Then I launched nmbd and winbindd. Winbind starts but gives the following errors: Kinit failed: Malformed representation of principal krb5_cc_get_principal failed (No credentials cache found) kerberos_kinit_password host /SMF-210-1@ failed: Malformed representation of principal As I do not use Kerberos I think that those errors can be ignored. wbinfo -g shows me the groups but wbinfo -u fails with "Error looking up domain users". When executing ntlm_auth --request-nt-key --domain=TESTDOMAIN --username=pete --nt-response I am prompted for the password and then I get NT_STATUS_OK: Success (0x0) So ntlm_auth seems to work. But even when checking the manual I can't figure out what hexadecimal string I have to put for testing --challenge from the command line. Back to freeradius. In the Users file I added MS-CHAP-USE-NTLM-Auth = 1 but I cannot see in the execution of ntlm_auth in the debug output. It should be logged at "radius_xlat:" or not? Here is the complete output that is generated: rad_recv: Access-Request packet from host 192.168.33.44:1812, id=123, length=108 NAS-IP-Address = 192.168.33.44 NAS-Port-Type = Async User-Name = "pete" Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = "00-11-43-5c-77-d6" EAP-Message = 0x0200000e0163736368776172747a Message-Authenticator = 0x25f38b75fa3cb4abe24e239a027fee0c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "pete", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 178 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 123 to 192.168.33.44:1812 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010100160410b9e2efb64f157d1421f9078e7a3bea4c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4ec2da2c4cfabac97ead6fe8e31653bf Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.33.44:1812, id=124, length=143 NAS-IP-Address = 192.168.33.44 NAS-Port-Type = Async User-Name = "pete" Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = "00-11-43-5c-77-d6" State = 0x4ec2da2c4cfabac97ead6fe8e31653bf EAP-Message = 0x0201001f04102f942aff5c15b303e8f9165af155871063736368776172747a Message-Authenticator = 0x2000b9a88b196b010901c1f9e01d3555 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "pete", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 31 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 178 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.33.44:1812, id=124, length=143 Sending Access-Reject of id 124 to 192.168.33.44:1812 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 123 with timestamp 429e8ebe Cleaning up request 1 ID 124 with timestamp 429e8ebe Nothing to do. Sleeping until we see a request. Regards, Pete _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
participants (1)
-
Pete Flynt