FR/AD integration
Gary Gatten
Ggatten at waddell.com
Sat Feb 19 01:40:23 CET 2011
If no one else pipes in I'll try to help, but I'm gone for the night.
From: E Rossiter [mailto:phedup at gmail.com]
Sent: Friday, February 18, 2011 06:11 PM
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Subject: FR/AD integration
Trying to use FR to query AD as an authentication oracle and set up per the docs at http://deployingradius.com/documents/configuration/active_directory.html and several others pertaining to setting up Kerberos and winbind.
smb/krb/winbind all run. The usual testing commands all produce the proper output. wbinfo, kbinit, kblist, net join, etc.
FreeRADIUS Version 2.1.7,
CentOS 5.5 2.6.18-194.32.1.el5 #1 SMP
Samba Version 3.3.8-0.52.el5_5.2
KRB5
I have been able to authenticate and authorize accounts using PAP via a Juniper device and a Dell PC 3448. Am now trying to expand beyond PAP and use ntlm_auth and eventually MSCHAP.
Upon issuing the command:
ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL --username=eric.rossiter --password=Cyt3w0rk5
I receive : NT_STATUS_OK: Success (0x0) but I do not see any reference to an NT_KEY:
I believe that's why the radtest command is failing:
radtest sambatest somepass localhost 0 somesecret
Sending Access-Request of id 225 to 127.0.0.1 port 1812
User-Name = "sambatest"
User-Password = "somepass"
NAS-IP-Address = 64.126.127.208
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225, length=20
Been reading and researching and testing for 3 weeks, but I'm stuck now.
radius -X output:
rad_recv: Access-Request packet from host 127.0.0.1 port 39195, id=4, length=61
User-Name = "sambatest"
User-Password = "somepass"
NAS-IP-Address = 64.126.127.208
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218<http://127.0.0.1/auth-detail-20110218>
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218<http://127.0.0.1/auth-detail-20110218>
[auth_log] expand: %t -> Fri Feb 18 17:19:10 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sambatest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 17
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=sambatest
[ntlm_auth] expand: --password=%{User-Password} -> --password=somepass
username must be specified! # don't understand this... username is two lines up If I shut down winbind, a winbind error preceeds "username must be specified! " don't understand # why samba is puking a help screen?
Usage: [OPTION...]
--helper-protocol=helper protocol to use operate as a stdio-based helper
--username=STRING username
--domain=STRING domain name
--workstation=STRING workstation
--challenge=STRING challenge (HEX encoded)
--lm-response=STRING LM Response to the challenge
(HEX encoded)
--nt-response=STRING NT or NTLMv2 Response to the
challenge (HEX encoded)
--password=STRING User's plaintext password
--request-lm-key Retrieve LM session key
--request-nt-key Retrieve User (NT) session key
--use-cached-creds Use cached credentials if no
password is given
--diagnostics Perform diagnostics on the
authentictaion chain
--require-membership-of=STRING Require that a user be a member
of this group (either name or
SID) for authentication to
succeed
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common samba config:
--configfile=CONFIGFILE Use alternate configuration file
Common samba options:
-V, --version Print version
Exec-Program output:
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Login incorrect: [sambatest/somepass] (from client 127.0.0.1 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> sambatest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 2 seconds
Going to the next request
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 4 to 127.0.0.1 port 39195
Waking up in 4.9 seconds.
Cleaning up request 2 ID 4 with timestamp +349
Ready to process requests.
wbin^H^H^Hrad_recv: Access-Request packet from host 127.0.0.1 port 57210, id=225, length=61
User-Name = "sambatest"
User-Password = "somepass"
NAS-IP-Address = 64.126.127.208
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218<http://127.0.0.1/auth-detail-20110218>
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218<http://127.0.0.1/auth-detail-20110218>
[auth_log] expand: %t -> Fri Feb 18 17:32:09 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sambatest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 17
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=sambatest
[ntlm_auth] expand: --password=%{User-Password} -> --password=Thursday77
username must be specified!
Usage: [OPTION...]
--helper-protocol=helper protocol to use operate as a stdio-based helper
--username=STRING username
--domain=STRING domain name
--workstation=STRING workstation
--challenge=STRING challenge (HEX encoded)
--lm-response=STRING LM Response to the challenge
(HEX encoded)
--nt-response=STRING NT or NTLMv2 Response to the
challenge (HEX encoded)
--password=STRING User's plaintext password
--request-lm-key Retrieve LM session key
--request-nt-key Retrieve User (NT) session key
--use-cached-creds Use cached credentials if no
password is given
--diagnostics Perform diagnostics on the
authentictaion chain
--require-membership-of=STRING Require that a user be a member
of this group (either name or
SID) for authentication to
succeed
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common samba config:
--configfile=CONFIGFILE Use alternate configuration file
Common samba options:
-V, --version Print version
Exec-Program output:
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Login incorrect: [sambatest/Thursday77] (from client 127.0.0.1 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> sambatest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 2 seconds
Going to the next request
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 225 to 127.0.0.1 port 57210
Waking up in 4.9 seconds.
Cleaning up request 3 ID 225 with timestamp +1128
Ready to process requests.
/etc/krb.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ADMIN.CYTEWORKS.LOCAL
# dns_lookup_realm = false # all of these entries have been used for testing and are commented out now
# dns_lookup_kdc = true
# ticket_lifetime = 24h
# forwardable = yes
# default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
# default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
# preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
[realms]
ADMIN.CYTEWORKS.LOCAL = {
kdc = cyteworks.admin.cyteworks.local
admin_server = cyteworks.admin.cyteworks.local
default_domain = ADMIN.CYTEWORKS.LOCAL
}
[domain_realm]
.cyteworks.local = ADMIN.CYTEWORKS.LOCAL
cyteworks.local = ADMIN.CYTEWORKS.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/samba/smb.conf
#======================= Global Settings =====================================
[global]
idmap uid = 200000 - 300000
idmap gid = 200000 - 300000
workgroup = ADMIN
; netbios name = cyteworks
realm = ADMIN.CYTEWORKS.LOCAL
server string = Samba Server Version %v
security = ads
local master = no
domain master = no
preferred master = no
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
; interfaces = lo eth0 192.168.12.2/24<http://192.168.12.2/24> 192.168.13.2/24<http://192.168.13.2/24>
hosts allow = 127. 192.168.5. 192.168.6. 10.12.1. 10.12.2. 10.12.3. 10.12.4 10.88.8
# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
# ----------------------- Domain Members Options ------------------------
; password server = *
security = ads
; passdb backend = tdbsam
realm = ADMIN.CYTEWORKS.LOCAL
; password server = 10.12.1.40
Everything else is commented out in smb.conf. Don't need any printers, no shares, etc.
/etc/raddb/radius.conf:
# -*- text -*-
##
#
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
clients = per_socket_clients
}
listen {
ipaddr = *
port = 0
type = acct
clients = per_socket_clients
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 2
status_server = yes
}
proxy_requests = no
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
/etc/raddb/clients.conf:
# -*- text -*-
##
## clients.conf -- client configuration directives
##
client localhost {
ipaddr = 127.0.0.1
secret = somesecret
require_message_authenticator = yes
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
clients per_socket_clients {
client 127.0.0.1 {
secret = somesecret
}
# Juniper - ESR - 01.24.11
client 192.168.20.254 {
secret = somesecret
shortname = juniper
nastype = netscreen
}
# Dell PowerConnect 3448 - ESR - 02.01.11
client 10.12.1.11 {
secret = somesecret
shortname = dpc3448
nastype = other
}
}
/etc/raddb/users
# -*- text -*-
#
# Copyright (C) 2009 Deploying RADIUS Partnerships
# All rights reserved.
#
# Save this file as "raddb/users", after first backing up
# the copy that you have there.
#
# http://deployingradius.com/documents/configuration/pap.html
#
# Window 1: radiusd -X
# Window 2: radtest bob hello localhost 0 testing123
#
# ntlm_auth testing ESR 02.17.11
DEFAULT Auth-Type = ntlm_auth
#************************ Juniper conf
# - ESR - 01.24.11
#some.user Cleartext-Password := "somepass"
# NS-Admin-Privilege := 4,
# NS-VSYS-Name := "Read-Only-Admin"
#some.user Cleartext-Password := "somepass
# NS-Admin-Privilege := 2,
# NS-VSYS-Name := "ROOT"
# End of the file
I commented out the PAP entries in the users file because one of the users has the same user.name<http://user.name> in AD but a different password, and that was causing me some conflict.
So, can anyone tell me why I'm not getting an NT_KEY reply when I issue the ntml_auth command?
Is the missing key the reason the radtest command is failing? See any other glaring errors?
Thanks for your time.
E Rossiter
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110218/450feeb1/attachment.html>
More information about the Freeradius-Users
mailing list