Authenticating against Win2k8r2 without ntlm_auth
Thomas Smith
theitsmith at gmail.com
Sun Apr 24 01:48:58 CEST 2011
Hi,
I'm using FreeRADIUS 2.1.7 on RHEL 5.6.
My AD admins recently upgraded from Win2k3 to Win2k8r2. As a result,
this broke compatibility with Samba 3.0.x--so I was forced to upgrade
to Samba 3.5.x to resolve those issues. To further complicate things,
I use Likewise Enterprise to provide AD integration--for compatibility
with Samba 3.5.x, I had to upgrade from Likewise 5.x to 6.0.
While Samba 3.5 and Likewise 6 fixed the problems authenticating
against Win2k8r2, Likewise removed support for Samba/Winbind in their
6.x series product (they included full support for Samba/Winbind in
their 5.x series product)--they now use their own libraries to provide
"winbind" functionality. The result of this is that the Samba-included
ntlm_auth no longer works (and Likewise doesn't provide a comparable
replacement)--since my FreeRADIUS install was using ntlm_auth for AD
authentication and authorization, it is no longer working.
So I'm looking at alternate ways of authenticating against Win2k8r2. I
was hoping to get some input from the list regarding this.
The FreeRADIUS server is fully configured (via Likewise Enterprise) to
authenticate against AD using Kerberos. Authorization is also provided
by Likewise Enterprise through other libraries.
Both authentication and authorization function properly at the OS
level and it integrates well with PAM and anything that can use
Kerberos for authentication--so you can do things like log into the
server via SSH using AD credentials.
I currently only use FreeRADIUS to provide access to VPN clients--the
VPN server is a Cisco ASA. I am also working on a Cisco Aironet
deployment that will use FreeRADIUS, though this hasn't been
configured yet (I'm in the early stages of that deployment).
I don't really care if authorization is local or via AD, but I would
definitely like authentication to occur via AD.
So barring ntlm_auth, is there a good/better/best way of connecting
FreeRADIUS to AD? PAM? Kerberos? LDAP?
~ Tom
More information about the Freeradius-Users
mailing list