infamous AD integration
Matthew Newton
mcn4 at leicester.ac.uk
Wed Jun 15 18:06:11 CEST 2016
On Wed, Jun 15, 2016 at 11:50:57AM -0400, Alan DeKok wrote:
> On Jun 15, 2016, at 11:42 AM, lejeczek via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> > https://www.unixmen.com/freeradius-active-directory-integration-with-ntlm-mschap/
>
> I haven't seen that one.
That has stuff in it (at least Kerberos configuration and
nsswitch.conf) that you generally don't need to do. You just
set "realm" and "password server" in smb.conf.
> Don't bother with any FreeRADIUS testing until the above
> command works. See the Samba documentation for debugging
> winbind problems.
General order to get things working is
- Configure Samba and join to the domain.
- Make sure "net ads testjoin" returns "Join is OK"
- Make sure winbind is running
- Make sure ntlm_auth will successfully authenticate from the
shell
- Make sure permissions/group are right on the winbind privileged
socket
- Make sure ntlm_auth will successfully authenticate from the
shell when running as the FreeRADIUS user/group
- Configure and test FreeRADIUS.
If _any_ of the steps is not right then fix that before moving on
to the next, otherwise it just won't work. This will also give a
big hint as to where the problem lies.
The above is just as valid when using direct libwbclient
configuration rather than ntlm_auth.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list