Any updates on authenticating against Active Directory?
Hi, I am configuring a Freeradius server on Ubuntu 20.04 to authenticate against an Active Directory Domain. I searched online and found many documentation pages, like this one: http://deployingradius.com/documents/configuration/active_directory.html but I did not find any recently produced page, every page that I found dates back to 5+ years ago and relies on Samba and ntlm_auth command. So my question is: is this procedure still recommended? Or are there any newer procedures? Can't I query AD domain as an LDAP server, avoiding joining my Ubuntu server to the domain?
On 15.11.21 12:37, egobrc@gmail.com wrote:
Hi, I am configuring a Freeradius server on Ubuntu 20.04 to authenticate against an Active Directory Domain. I searched online and found many documentation pages, like this one: http://deployingradius.com/documents/configuration/active_directory.html but I did not find any recently produced page, every page that I found dates back to 5+ years ago and relies on Samba and ntlm_auth command.
So my question is: is this procedure still recommended? Or are there any newer procedures? Can't I query AD domain as an LDAP server, avoiding joining my Ubuntu server to the domain?
This doc is still valid. You have to use samba for authentication. For authorization you can query the LDAP part of the AD server, of course. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
-----Original Message----- Hi, I am configuring a Freeradius server on Ubuntu 20.04 to authenticate against an Active Directory Domain. I searched online and found many documentation pages, like this one: http://deployingradius.com/documents/configuration/active_directory.html but I did not find any recently produced page, every page that I found dates back to 5+ years ago and relies on Samba and ntlm_auth command. So my question is: is this procedure still recommended? Or are there any newer procedures? Can't I query AD domain as an LDAP server, avoiding joining my Ubuntu server to the domain? -- We're looking at this as well, but NTLM auth has been turned off in our environment. There's this page that describes how to do auth with Kerberos, which may work, but I have not had a chance to test it yet. https://www.anyroam.net/node/90 --Chris
On Nov 15, 2021, at 8:46 AM, Boyd, Christopher <cboyd@utsystem.edu> wrote:
We're looking at this as well, but NTLM auth has been turned off in our environment.
Then MS-CHAP / PEAP-MSCHAP is impossible. This kind of thing often comes from an absolutist view of security. "We can't do X, because it's insecure!". Ok then, that means many other things are now impossible to do. Things which you want to have. You've got to have an informed trade-off for security. Figure out what you want (everything you want), and then pick the most secure option. In this case, you could probably set up a Samba replica for AD, turn on ntlm_auth there, and then allow only the FreeRADIUS machine to access it. That gets you 100% of the functionality, with 99.9% of the security.
There's this page that describes how to do auth with Kerberos, which may work, but I have not had a chance to test it yet. https://www.anyroam.net/node/90
I really hate third-party sites which give bad advice. Don't use Kerberos. It's not necessary. From the article: "you need to properly setup TTLS with PAP authentication since Kerberos authentication will only work with this pairing of EAP methods" Uh... why not just use LDAP then? FreeRADIUS can do LDAP "bind as user" to AD. It will work. Alan DeKok.
participants (4)
-
Alan DeKok -
Boyd, Christopher -
egobrc@gmail.com -
Michael Schwartzkopff