Re: Kerberos - Radius does not get password
Hmm, having run FR with AD authentication using winbindd and samba for many many years I am interested in what problems with those daemons you were having ... why need the frequent restarts etc. eduroam certainly wouldn't have had the high take-up we've seen in eg Europe if all sites had to reengineer their backend authentication and couldn't use PEAP/MSCHAPv2 alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart.
On 12/28/2012 10:41 PM, Alan Buxey wrote:
Hmm, having run FR with AD authentication using winbindd and samba for many many years I am interested in what problems with those daemons you were having ... why need the frequent restarts etc. eduroam certainly wouldn't have had the high take-up we've seen in eg Europe if all sites had to reengineer their backend authentication and couldn't use PEAP/MSCHAPv2
In fairness, we've seen the occasional problem, though very rarely, that has required a restart of winbind. I have the impression that winbind is extremely (and I do mean extremely) sensitive to certain aspects of an AD configuration, such as your domain "level", version of domain controllers, group policy mandating SMB sign/seal, and so forth. So there are a lot of variables in there. Maybe academic sites trend towards a config that's more forgiving? Winbind also only ever talks to one domain controller at a time, and takes an age to failover (90+ seconds) if that DC goes away. On a couple of occasions, the problems we've had have followed a DC being taken out of service, and have necessitated a restart of both smbd and winbindd - winbind just seems to hang. But on other occasions, it hasn't been a problem - weird. I also suspect it's *highly* dependent on the Samba version. Many people just run the packaged OS version, and these are often older 3.x releases that don't play well with their combination of features. Just to repeat: the problems we've had are rare. But software is usually fairly deterministic and I guess if other people experience the triggers more often, they'll have the problems more often. If I had the time, I'd engage in some serious resilience testing of a samba/winbind config as used for MSCHAP and try and identify the cause (and open some bugs) and any mitigations. But I don't :o( Unfortunately, if you run AD and have significant numbers of Windows clients, you don't really have any choice but to use MSCHAP, and thus samba/winbind, IMO.
Hello I been having problem as listed in this bug list: https://bugzilla.samba.org/show_bug.cgi?id=6563#c59 I know at least few university having similar issue and ended up with restarting winbind - that resolve the issue. I am not sure which version of samba+winbind are you using? Also, I am just thinking, is there a way to configure both kerberos (which works TTLS with PAP) and EAP-PEAP with MSCHAPv2 ? if it is possible I can support both TTLS via kerberos and PEAP - MCHAP with Active directory (winbind and samba). This way I can continue support older $$$client xp, win7 and for rest those are supported I can enforce to use TTLS-PAP with kerberos. It would be great if you direct me in right road. However, in my environment there is currently only one domain controller - i am not sure about that 90+ seconds failover thing. but I do realize that there is somwhere timeout in winbind - it disconnect from the AD which I believe is the problem. Perhaps when it disconnects from AD - it needs that 90seconds to reconnect and in the same-time radius gets a lot of request - probably windbind hands or etc or it is waiting waiting to reconnect. K On Sat, Dec 29, 2012 at 12:32 PM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 12/28/2012 10:41 PM, Alan Buxey wrote:
Hmm, having run FR with AD authentication using winbindd and samba for many many years I am interested in what problems with those daemons you were having ... why need the frequent restarts etc. eduroam certainly wouldn't have had the high take-up we've seen in eg Europe if all sites had to reengineer their backend authentication and couldn't use PEAP/MSCHAPv2
In fairness, we've seen the occasional problem, though very rarely, that has required a restart of winbind.
I have the impression that winbind is extremely (and I do mean extremely) sensitive to certain aspects of an AD configuration, such as your domain "level", version of domain controllers, group policy mandating SMB sign/seal, and so forth. So there are a lot of variables in there. Maybe academic sites trend towards a config that's more forgiving?
Winbind also only ever talks to one domain controller at a time, and takes an age to failover (90+ seconds) if that DC goes away. On a couple of occasions, the problems we've had have followed a DC being taken out of service, and have necessitated a restart of both smbd and winbindd - winbind just seems to hang. But on other occasions, it hasn't been a problem - weird.
I also suspect it's *highly* dependent on the Samba version. Many people just run the packaged OS version, and these are often older 3.x releases that don't play well with their combination of features.
Just to repeat: the problems we've had are rare. But software is usually fairly deterministic and I guess if other people experience the triggers more often, they'll have the problems more often.
If I had the time, I'd engage in some serious resilience testing of a samba/winbind config as used for MSCHAP and try and identify the cause (and open some bugs) and any mitigations. But I don't :o(
Unfortunately, if you run AD and have significant numbers of Windows clients, you don't really have any choice but to use MSCHAP, and thus samba/winbind, IMO.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 07/01/13 16:49, Khapare Joshi wrote:
Hello
I been having problem as listed in this bug list:
https://bugzilla.samba.org/show_bug.cgi?id=6563#c59
I know at least few university having similar issue and ended up with restarting winbind - that resolve the issue. I am not sure which version of samba+winbind are you using?
We are on RHEL5 using samba3x-3.3.8-0.52.el5_5.2. Our domain is Windows 2008R2, domain functional level is 2008R2 native.
Also, I am just thinking, is there a way to configure both kerberos (which works TTLS with PAP) and EAP-PEAP with MSCHAPv2 ? if it is possible I can support both TTLS via kerberos and PEAP - MCHAP with Active directory (winbind and samba). This way I can continue support older $$$client xp, win7 and for rest those are supported I can enforce to use TTLS-PAP with kerberos. It would be great if you direct me in right road.
Yes you can do this. I'm not sure what you're asking. You just configure each component correct and let it work. This is only very slightly tricky because rlm_krb5 doesn't contain any Auth-Type handling; you need to run krb5 if it's a PAP request, see below. But you must already be doing this if you're using Kerberos, so just... keep doing it. sites-enabled/inner-tunnel: authorize { ... eap mschap pap ... } authenticate { Auth-Type PAP { krb5 } Auth-Type MSCHAP { mschap } eap } ...then configure "eap {}" appropriately for TTLS and PEAP.
HI, Thanks, On Mon, Jan 7, 2013 at 5:41 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 07/01/13 16:49, Khapare Joshi wrote:
Hello
I been having problem as listed in this bug list:
I know at least few university having similar issue and ended up with restarting winbind - that resolve the issue. I am not sure which version of samba+winbind are you using?
We are on RHEL5 using samba3x-3.3.8-0.52.el5_5.2. Our domain is Windows 2008R2, domain functional level is 2008R2 native.
I am running on: CENTOS6 samba-winbind-3.5.10-125.el6.x86_64 samba-3.5.10-125.el6.x86_64 samba-common-3.5.10-125.el6.x86_64
Also, I am just thinking, is there a way to configure both kerberos (which works TTLS with PAP) and EAP-PEAP with MSCHAPv2 ? if it is possible I can support both TTLS via kerberos and PEAP - MCHAP with Active directory (winbind and samba). This way I can continue support older $$$client xp, win7 and for rest those are supported I can enforce to use TTLS-PAP with kerberos. It would be great if you direct me in right road.
Yes you can do this. I'm not sure what you're asking. You just configure each component correct and let it work.
oh, I meant to support mschap as well. At the moment in my development environment I could not authenticate from windows 7 client because I can only choose mschap option.
This is only very slightly tricky because rlm_krb5 doesn't contain any Auth-Type handling; you need to run krb5 if it's a PAP request, see below. But you must already be doing this if you're using Kerberos, so just... keep doing it.
Yes, Kerberos is working right now, What I did was :
Added /etc/raddb/site-enabled/inner-tunnel right after the Auth-Type PAP Auth-Type kerberos { krb5 } and DEFAULT AUTH-Type = kerberos in users file. sites-enabled/inner-tunnel:
authorize { ... eap mschap pap ... }
authenticate { Auth-Type PAP { krb5 } Auth-Type MSCHAP { mschap } eap }
...then configure "eap {}" appropriately for TTLS and PEAP.
To make this work, I still have to configure samba, join radius server to AD and so on for the AD authentication right ? but, kerberos only works with PAP, is there a security risk - what is your view on this?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 08/01/13 10:31, Khapare Joshi wrote:
I am running on: CENTOS6 samba-winbind-3.5.10-125.el6.x86_64 samba-3.5.10-125.el6.x86_64 samba-common-3.5.10-125.el6.x86_64
Ok. Unfortunately this isn't nearly enough data to speculate about what your problems might be. To be honest, I don't even know what data *would* tell us that - but it would certainly include your AD server OS version and domain functional level. But this is really off-topic - if you have Samba problems, the Samba list is the place to discuss them.
and DEFAULT AUTH-Type = kerberos in users file.
No, this is wrong. Don't do this. It may stop you doing mschap. If you *must* set Auth-Type, you need to ensure it's done correctly - only set if unset, and if it's PAP - which can be done in unlang like so: authorize { ... eap mschap # if Auth-Type isn't set yet if (!control:Auth-Type) { # AND if it's a PAP request (contains User-Password) if (User-Password) { # use Kerberos update control { Auth-Type := kerberos } } } ... }
To make this work, I still have to configure samba, join radius server to AD and so on for the AD authentication right ?
Yes.
but, kerberos only works with PAP, is there a security risk - what is your view on this?
View on what? Vague questions like "is there a security risk" don't really mean anything. Let me answer a different question: In my opinion, given current state-of-the-art in cryptography, TTLS/PAP is not appreciably more or less secure than PEAP/MSCHAP. They both have very similar security properties, and are close to identical at the protocol level. The use of TTLS/PAP provides more options in backend password storage / authentication server, but that's separate from the security of the protocol.
participants (3)
-
Alan Buxey -
Khapare Joshi -
Phil Mayers