hi users, I know there are howtos and as a novice I've been reading whatever I could find but I still fail to have my radius 3.0.4 talk to AD 2014. I'm hoping some expert would share a pointer to a nice & working tutorial on how to setup active directory. I've gotten it up to winbind bit working fine, seems samba+winbind are doing ok, and before I dump my configs I'd like to say I followed these: https://www.unixmen.com/freeradius-active-directory-integration-with-ntlm-ms... http://deployingradius.com/documents/configuration/active_directory.html ... and a few more. What I'm hoping to have might be a bit nonstandard(?) - it might be that I don't need that, that I don't need full domain name. before I dump the configs here, I test radius: $ radtest -t mschap pe243@my.domain.local my.Pass $(hostname -f) 1812 radius.Pass and I see: (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (2) [mschap] = ok (2) [digest] = noop (2) suffix : Checking for suffix after "@" (2) suffix : Looking up realm "my.domain.local" for User-Name = "pe243@my.domain.local" (2) suffix : No such realm "my.domain.local" (2) [suffix] = noop (2) eap : No EAP-Message, not doing EAP (2) [eap] = noop (2) [unix] = notfound (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop (2) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (2) WARNING: pap : Authentication will fail unless a "known good" password is available (2) [pap] = noop (2) } # authorize = ok (2) Found Auth-Type = MSCHAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Auth-Type MS-CHAP { (2) mschap : Client is using MS-CHAPv1 with NT-Password Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (2) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (2) mschap : --> --username=pe243@my.domain.local (2) mschap : mschap1: 53 (2) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00} (2) mschap : --> --challenge=53a9b819d2f4c974 (2) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (2) mschap : --> --nt-response=eaaf1863833782d3cfc44549b99ba2a0831afaf3b25b13a6 Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)' (2) mschap : External script failed (2) ERROR: mschap : External script says: Reading winbind reply failed! (0xc0000001) (2) ERROR: mschap : MS-CHAP-Response is incorrect (2) [mschap] = reject (2) } # Auth-Type MS-CHAP = reject (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject I use @domain for I hope to have to separate users catalogs where usernames might/will duplicate. But I test user without @part and it fails the same way. many thanks, L
On Jun 15, 2016, at 11:42 AM, lejeczek via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I know there are howtos and as a novice I've been reading whatever I could find but I still fail to have my radius 3.0.4 talk to AD 2014.
I'm hoping some expert would share a pointer to a nice & working tutorial on how to setup active directory.
I've gotten it up to winbind bit working fine, seems samba+winbind are doing ok, and before I dump my configs I'd like to say I followed these:
https://www.unixmen.com/freeradius-active-directory-integration-with-ntlm-ms...
I haven't seen that one.
http://deployingradius.com/documents/configuration/active_directory.html
That's mine. It works.
... and a few more.
What I'm hoping to have might be a bit nonstandard(?) - it might be that I don't need that, that I don't need full domain name.
That's fine. It doesn't make any difference.
before I dump the configs here, I test radius:
$ radtest -t mschap pe243@my.domain.local my.Pass $(hostname -f) 1812 radius.Pass
Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (2) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (2) mschap : --> --username=pe243@my.domain.local (2) mschap : mschap1: 53 (2) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00} (2) mschap : --> --challenge=53a9b819d2f4c974 (2) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (2) mschap : --> --nt-response=eaaf1863833782d3cfc44549b99ba2a0831afaf3b25b13a6 Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'
Something is wrong with winbind. Use the above debug output to test it on the command line: $ /usr/bin/ntlm_auth --request-nt-key --username=pe243@my.domain.local --challenge=53a9b819d2f4c974 --nt-response=eaaf1863833782d3cfc44549b99ba2a0831afaf3b25b13a6 Don't bother with any FreeRADIUS testing until the above command works. See the Samba documentation for debugging winbind problems. Alan DeKok.
On Wed, Jun 15, 2016 at 11:50:57AM -0400, Alan DeKok wrote:
On Jun 15, 2016, at 11:42 AM, lejeczek via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
https://www.unixmen.com/freeradius-active-directory-integration-with-ntlm-ms...
I haven't seen that one.
That has stuff in it (at least Kerberos configuration and nsswitch.conf) that you generally don't need to do. You just set "realm" and "password server" in smb.conf.
Don't bother with any FreeRADIUS testing until the above command works. See the Samba documentation for debugging winbind problems.
General order to get things working is - Configure Samba and join to the domain. - Make sure "net ads testjoin" returns "Join is OK" - Make sure winbind is running - Make sure ntlm_auth will successfully authenticate from the shell - Make sure permissions/group are right on the winbind privileged socket - Make sure ntlm_auth will successfully authenticate from the shell when running as the FreeRADIUS user/group - Configure and test FreeRADIUS. If _any_ of the steps is not right then fix that before moving on to the next, otherwise it just won't work. This will also give a big hint as to where the problem lies. The above is just as valid when using direct libwbclient configuration rather than ntlm_auth. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 15/06/16 17:06, Matthew Newton wrote:
On Wed, Jun 15, 2016 at 11:50:57AM -0400, Alan DeKok wrote:
On Jun 15, 2016, at 11:42 AM, lejeczek via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
https://www.unixmen.com/freeradius-active-directory-integration-with-ntlm-ms... I haven't seen that one. That has stuff in it (at least Kerberos configuration and nsswitch.conf) that you generally don't need to do. You just set "realm" and "password server" in smb.conf.
Don't bother with any FreeRADIUS testing until the above command works. See the Samba documentation for debugging winbind problems. General order to get things working is
- Configure Samba and join to the domain.
- Make sure "net ads testjoin" returns "Join is OK"
- Make sure winbind is running
- Make sure ntlm_auth will successfully authenticate from the shell
- Make sure permissions/group are right on the winbind privileged socket here, I missed radius to winbind's fs access. Now I have $ radtest -t mschap ... working, but I don't quite grasp why one has to test with "-t". When I now test without "-t" it still fails with:
(3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : Checking for suffix after "@" (3) suffix : Looking up realm "my.domain.local" for User-Name = "pe243@my.domain.local" (3) suffix : Found realm "my.domain.local" (3) suffix : Adding Stripped-User-Name = "pe243" (3) suffix : Adding Realm = "my.domain.local" (3) suffix : Authentication realm is LOCAL (3) [suffix] = ok (3) eap : No EAP-Message, not doing EAP (3) [eap] = noop (3) [unix] = notfound (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop (3) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (3) WARNING: pap : Authentication will fail unless a "known good" password is available (3) [pap] = noop (3) } # authorize = ok (3) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Post-Auth-Type REJECT { (3) attr_filter.access_reject : EXPAND %{User-Name} (3) attr_filter.access_reject : --> pe243@my.domain.local (3) attr_filter.access_reject : Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (3) [eap] = noop (3) remove_reply_message_if_eap remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else else { (3) [noop] = noop (3) } # else else = noop (3) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated thanks a lot!
- Make sure ntlm_auth will successfully authenticate from the shell when running as the FreeRADIUS user/group
- Configure and test FreeRADIUS.
If _any_ of the steps is not right then fix that before moving on to the next, otherwise it just won't work. This will also give a big hint as to where the problem lies.
The above is just as valid when using direct libwbclient configuration rather than ntlm_auth.
Matthew
On Thu, Jun 16, 2016 at 03:25:12PM +0100, lejeczek via Freeradius-Users wrote:
Now I have $ radtest -t mschap ... working, but I don't quite grasp why one has to test with "-t". When I now test without "-t" it still fails with:
Well, "-t mschap" sends an MSCHAP auth request, which is what you've configured. Without -t you're sending a PAP request, which you haven't configured (see mods-available/ntlm_auth if you need to do this; most people likely don't). So the first works and the second doesn't. Matthew
(3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : Checking for suffix after "@" (3) suffix : Looking up realm "my.domain.local" for User-Name = "pe243@my.domain.local" (3) suffix : Found realm "my.domain.local" (3) suffix : Adding Stripped-User-Name = "pe243" (3) suffix : Adding Realm = "my.domain.local" (3) suffix : Authentication realm is LOCAL (3) [suffix] = ok (3) eap : No EAP-Message, not doing EAP (3) [eap] = noop (3) [unix] = notfound (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop (3) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (3) WARNING: pap : Authentication will fail unless a "known good" password is available (3) [pap] = noop (3) } # authorize = ok (3) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Post-Auth-Type REJECT { (3) attr_filter.access_reject : EXPAND %{User-Name} (3) attr_filter.access_reject : --> pe243@my.domain.local (3) attr_filter.access_reject : Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (3) [eap] = noop (3) remove_reply_message_if_eap remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else else { (3) [noop] = noop (3) } # else else = noop (3) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 16/06/16 15:54, Matthew Newton wrote:
On Thu, Jun 16, 2016 at 03:25:12PM +0100, lejeczek via Freeradius-Users wrote:
Now I have $ radtest -t mschap ... working, but I don't quite grasp why one has to test with "-t". When I now test without "-t" it still fails with: Well, "-t mschap" sends an MSCHAP auth request, which is what you've configured.
Without -t you're sending a PAP request, which you haven't configured (see mods-available/ntlm_auth if you need to do this; most people likely don't).
So the first works and the second doesn't.
Matthew what I don't get is - this is radtest but how does it matter to a radius clients, say a net switch? Do all the clients have to specify auth method? I thought we configure this different "backends" so radius server will traverse them all in search of a user account of which client has to know none. One more thing - having mschap/ntlm I do not need to configure radius server to lookup AD's ldap at the same time, do I? Would there be a case when one would have both ntlm & ldap go to the same on AD?
(3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : Checking for suffix after "@" (3) suffix : Looking up realm "my.domain.local" for User-Name = "pe243@my.domain.local" (3) suffix : Found realm "my.domain.local" (3) suffix : Adding Stripped-User-Name = "pe243" (3) suffix : Adding Realm = "my.domain.local" (3) suffix : Authentication realm is LOCAL (3) [suffix] = ok (3) eap : No EAP-Message, not doing EAP (3) [eap] = noop (3) [unix] = notfound (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop (3) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (3) WARNING: pap : Authentication will fail unless a "known good" password is available (3) [pap] = noop (3) } # authorize = ok (3) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Post-Auth-Type REJECT { (3) attr_filter.access_reject : EXPAND %{User-Name} (3) attr_filter.access_reject : --> pe243@my.domain.local (3) attr_filter.access_reject : Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (3) [eap] = noop (3) remove_reply_message_if_eap remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else else { (3) [noop] = noop (3) } # else else = noop (3) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated
On Thu, Jun 16, 2016 at 04:05:49PM +0100, lejeczek via Freeradius-Users wrote:
what I don't get is - this is radtest but how does it matter to a radius clients, say a net switch? Do all the clients have to specify auth method?
Clients send different types of authentication to the RADIUS server. You need to know what your clients are doing. Yes, the client drives which auth method is used.
I thought we configure this different "backends" so radius server will traverse them all in search of a user account of which client has to know none.
Of course - you have to configure the server to handle whatever all your clients send. If the clients will send PAP requests which you want to authenticate against AD, then you'll need to configure FreeRADIUS to do that. The standard "pap" module will handle PAP requests when the password has been pulled out of a backend database (local file, sql, ldap etc) but not AD because it won't give you access to the password hash.
One more thing - having mschap/ntlm I do not need to configure radius server to lookup AD's ldap at the same time, do I? Would there be a case when one would have both ntlm & ldap go to the same on AD?
You configure ldap lookup against AD if you want to pull back LDAP attributes to enforce some policy. If you're just doing auth then you likely don't need it. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi,
What I'm hoping to have might be a bit nonstandard(?) - it might be that I don't need that, that I don't need full domain name.
so ensure your realm is being handled
(2) suffix : Looking up realm "my.domain.local" for User-Name = "pe243@my.domain.local" (2) suffix : No such realm "my.domain.local"
add realm my.domain.local { strip } to proxy.conf now, when suffix runs, it will see your realm, know to deal with it locally but also populate p243 as Stripped-User-Name which then means that:
(2) mschap : Client is using MS-CHAPv1 with NT-Password Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (2) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (2) mschap : --> --username=pe243@my.domain.local
--username will now be the right value with no realm if, however, you do need to use the realm then you need to ensure that, on command line, ntlm_auth works with the realm - usually done by adding the realm as a UPN in AD alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
lejeczek -
Matthew Newton