FR/AD integration
E Rossiter
phedup at gmail.com
Sat Feb 19 01:11:57 CET 2011
Trying to use FR to query AD as an authentication oracle and set up per the
docs at
http://deployingradius.com/documents/configuration/active_directory.html and
several others pertaining to setting up Kerberos and winbind.
smb/krb/winbind all run. The usual testing commands all produce the proper
output. wbinfo, kbinit, kblist, net join, etc.
FreeRADIUS Version 2.1.7,
CentOS 5.5 2.6.18-194.32.1.el5 #1 SMP
Samba Version 3.3.8-0.52.el5_5.2
KRB5
I have been able to authenticate and authorize accounts using PAP via a
Juniper device and a Dell PC 3448. Am now trying to expand beyond PAP and
use ntlm_auth and eventually MSCHAP.
Upon issuing the command:
ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL
--username=eric.rossiter --password=Cyt3w0rk5
I receive : NT_STATUS_OK: Success (0x0) but I do not see any reference to
an NT_KEY:
I believe that's why the radtest command is failing:
radtest sambatest somepass localhost 0 somesecret
Sending Access-Request of id 225 to 127.0.0.1 port 1812
User-Name = "sambatest"
User-Password = "somepass"
NAS-IP-Address = 64.126.127.208
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225,
length=20
Been reading and researching and testing for 3 weeks, but I'm stuck now.
radius -X output:
rad_recv: Access-Request packet from host 127.0.0.1 port 39195, id=4,
length=61
User-Name = "sambatest"
User-Password = "somepass"
NAS-IP-Address = 64.126.127.208
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/127.0.0.1/auth-detail-20110218
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218
[auth_log] expand: %t -> Fri Feb 18 17:19:10 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sambatest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 17
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} ->
--username=sambatest
[ntlm_auth] expand: --password=%{User-Password} -> --password=somepass
username must be specified! *# don't understand this... username is two
lines up* If I shut down winbind, a winbind error preceeds "username must
be specified! " don't understand # why samba is puking a help screen?
Usage: [OPTION...]
--helper-protocol=helper protocol to use operate as a stdio-based
helper
--username=STRING username
--domain=STRING domain name
--workstation=STRING workstation
--challenge=STRING challenge (HEX encoded)
--lm-response=STRING LM Response to the challenge
(HEX encoded)
--nt-response=STRING NT or NTLMv2 Response to the
challenge (HEX encoded)
--password=STRING User's plaintext password
--request-lm-key Retrieve LM session key
--request-nt-key Retrieve User (NT) session
key
--use-cached-creds Use cached credentials if no
password is given
--diagnostics Perform diagnostics on the
authentictaion chain
--require-membership-of=STRING Require that a user be a
member
of this group (either name or
SID) for authentication to
succeed
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common samba config:
--configfile=CONFIGFILE Use alternate configuration
file
Common samba options:
-V, --version Print version
Exec-Program output:
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Login incorrect: [sambatest/somepass] (from client 127.0.0.1 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> sambatest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 2 seconds
Going to the next request
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 4 to 127.0.0.1 port 39195
Waking up in 4.9 seconds.
Cleaning up request 2 ID 4 with timestamp +349
Ready to process requests.
wbin^H^H^Hrad_recv: Access-Request packet from host 127.0.0.1 port 57210,
id=225, length=61
User-Name = "sambatest"
User-Password = "somepass"
NAS-IP-Address = 64.126.127.208
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/127.0.0.1/auth-detail-20110218
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218
[auth_log] expand: %t -> Fri Feb 18 17:32:09 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sambatest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 17
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} ->
--username=sambatest
[ntlm_auth] expand: --password=%{User-Password} -> --password=Thursday77
username must be specified!
Usage: [OPTION...]
--helper-protocol=helper protocol to use operate as a stdio-based
helper
--username=STRING username
--domain=STRING domain name
--workstation=STRING workstation
--challenge=STRING challenge (HEX encoded)
--lm-response=STRING LM Response to the challenge
(HEX encoded)
--nt-response=STRING NT or NTLMv2 Response to the
challenge (HEX encoded)
--password=STRING User's plaintext password
--request-lm-key Retrieve LM session key
--request-nt-key Retrieve User (NT) session
key
--use-cached-creds Use cached credentials if no
password is given
--diagnostics Perform diagnostics on the
authentictaion chain
--require-membership-of=STRING Require that a user be a
member
of this group (either name or
SID) for authentication to
succeed
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common samba config:
--configfile=CONFIGFILE Use alternate configuration
file
Common samba options:
-V, --version Print version
Exec-Program output:
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Login incorrect: [sambatest/Thursday77] (from client 127.0.0.1 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> sambatest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 2 seconds
Going to the next request
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 225 to 127.0.0.1 port 57210
Waking up in 4.9 seconds.
Cleaning up request 3 ID 225 with timestamp +1128
Ready to process requests.
/etc/krb.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ADMIN.CYTEWORKS.LOCAL
# dns_lookup_realm = false # all of these entries have been used for
testing and are commented out now
# dns_lookup_kdc = true
# ticket_lifetime = 24h
# forwardable = yes
# default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
# default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
# preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
[realms]
ADMIN.CYTEWORKS.LOCAL = {
kdc = cyteworks.admin.cyteworks.local
admin_server = cyteworks.admin.cyteworks.local
default_domain = ADMIN.CYTEWORKS.LOCAL
}
[domain_realm]
.cyteworks.local = ADMIN.CYTEWORKS.LOCAL
cyteworks.local = ADMIN.CYTEWORKS.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/samba/smb.conf
#======================= Global Settings
=====================================
[global]
idmap uid = 200000 - 300000
idmap gid = 200000 - 300000
workgroup = ADMIN
; netbios name = cyteworks
realm = ADMIN.CYTEWORKS.LOCAL
server string = Samba Server Version %v
security = ads
local master = no
domain master = no
preferred master = no
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
hosts allow = 127. 192.168.5. 192.168.6. 10.12.1. 10.12.2. 10.12.3.
10.12.4 10.88.8
# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
# ----------------------- Domain Members Options ------------------------
; password server = *
security = ads
; passdb backend = tdbsam
realm = ADMIN.CYTEWORKS.LOCAL
; password server = 10.12.1.40
Everything else is commented out in smb.conf. Don't need any printers, no
shares, etc.
/etc/raddb/radius.conf:
# -*- text -*-
##
#
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
clients = per_socket_clients
}
listen {
ipaddr = *
port = 0
type = acct
clients = per_socket_clients
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 2
status_server = yes
}
proxy_requests = no
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
/etc/raddb/clients.conf:
# -*- text -*-
##
## clients.conf -- client configuration directives
##
client localhost {
ipaddr = 127.0.0.1
secret = somesecret
require_message_authenticator = yes
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
clients per_socket_clients {
client 127.0.0.1 {
secret = somesecret
}
# Juniper - ESR - 01.24.11
client 192.168.20.254 {
secret = somesecret
shortname = juniper
nastype = netscreen
}
# Dell PowerConnect 3448 - ESR - 02.01.11
client 10.12.1.11 {
secret = somesecret
shortname = dpc3448
nastype = other
}
}
/etc/raddb/users
# -*- text -*-
#
# Copyright (C) 2009 Deploying RADIUS Partnerships
# All rights reserved.
#
# Save this file as "raddb/users", after first backing up
# the copy that you have there.
#
# http://deployingradius.com/documents/configuration/pap.html
#
# Window 1: radiusd -X
# Window 2: radtest bob hello localhost 0 testing123
#
# ntlm_auth testing ESR 02.17.11
DEFAULT Auth-Type = ntlm_auth
#************************ Juniper conf
# - ESR - 01.24.11
#some.user Cleartext-Password := "somepass"
# NS-Admin-Privilege := 4,
# NS-VSYS-Name := "Read-Only-Admin"
#some.user Cleartext-Password := "somepass
# NS-Admin-Privilege := 2,
# NS-VSYS-Name := "ROOT"
# End of the file
I commented out the PAP entries in the users file because one of the users
has the same user.name in AD but a different password, and that was causing
me some conflict.
So, can anyone tell me why I'm not getting an *NT_KEY* reply when I issue
the *ntml_auth* command?
Is the missing key the reason the *radtest* command is failing? See any
other glaring errors?
Thanks for your time.
E Rossiter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110218/031e8c1e/attachment.html>
More information about the Freeradius-Users
mailing list