Configuring FreeRADIUS to authenticate against AD

Martin Ubank Martin.Ubank at uwe.ac.uk
Fri Oct 21 10:10:02 CEST 2011 

I've been following the FreeRadius Deployment guide http://deployingradius.com/documents/configuration/active_directory.html



The following software is installed on a Centos 6 VM:

-     Samba 3.5.6, Freeradius 2.1.10, wpa_supplicant-0.7.3, gcc v4.4.4-13, openssl, winbind.



I successfully performed basic configuration tests with the 'eapol_test' command for:

- PAP, EAP, EAP-TLS, EAP-TTLS, EAP-MD5 & EAP-MSCHAPv5.

I've created production certificates & successfully tested for the above protocols.

Installed Kerberos 1.8.2 & tested that successfully.



I've edited /etc/krb5.conf, as follows:



[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log



[libdefaults]

default_realm = CAMPUS.ADS.UWE.AC.UK

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true



[realms]



CAMPUS.ADS.UWE.AC.UK = {

  kdc = campus.ads.uwe.ac.uk

  admin_server = radius.uwe.ac.uk

  default_domain = CAMPUS.ADS.UWE.AC.UK

}



[domain_realm]

.campus.ads.uwe.ac.uk = CAMPUS.ADS.UWE.AC.UK

campus.ads.uwe.ac.uk = CAMPUS.ADS.UWE.AC.UK



I've also edited /etc/samba/smb.conf (comments & blank lines excluded):



[global]

        workgroup = CAMPUS

        server string = Samba Server Version %v

        log file = /var/log/samba/log.%m

        max log size = 50

        security = ads

        passdb backend = tdbsam

        realm = campus.ads.uwe.ac.uk

        password server = campus.ads.uwe.ac.uk

        load printers = yes

        cups options = raw

        winbind separator = +

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        winbind enum users = yes

        winbind enum groups = yes

        template homedir = /home/%D/%U

        template shell = /bin/rbash

        client use spnego = yes

        client ntlmv2 auth = yes

        encrypt passwords = yes

        winbind use default domain = yes

        restrict anonymous = 2

        domain master = no

        local master = no

        preferred master = no

        os level = 0



[homes]

        comment = Home Directories

        browseable = no

        writable = yes



[printers]

        comment = All Printers

        path = /var/spool/samba

        browseable = no

        guest ok = no

        writable = no

        printable = yes



I then run 'net join -U USERNAME' and get:



Unable to find a suitable server for domain CAMPUS

Unable to find a suitable server for domain CAMPUS



Running 'wbinfo -a USERNAME%PASSWORD' returns:



plaintext password authentication failed

Could not authenticate user USERNAME%PASSWORD with plaintext password

challenge/response password authentication failed

error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)

error messsage was: No logon servers

Could not authenticate user USERNAME with challenge/response





Can anyone tell me what I've done wrong?



Thanks



Martin.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111021/3c29d79a/attachment.html>

More information about the Freeradius-Users mailing list