infamous AD integration

Thu Jun 16 16:25:12 CEST 2016


On 15/06/16 17:06, Matthew Newton wrote:
> On Wed, Jun 15, 2016 at 11:50:57AM -0400, Alan DeKok wrote:
>> On Jun 15, 2016, at 11:42 AM, lejeczek via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>> https://www.unixmen.com/freeradius-active-directory-integration-with-ntlm-mschap/
>>    I haven't seen that one.
> That has stuff in it (at least Kerberos configuration and
> nsswitch.conf) that you generally don't need to do. You just
> set "realm" and "password server" in smb.conf.
>
>>    Don't bother with any FreeRADIUS testing until the above
>>    command works.  See the Samba documentation for debugging
>>    winbind problems.
> General order to get things working is
>
>   - Configure Samba and join to the domain.
>   
>   - Make sure "net ads testjoin" returns "Join is OK"
>
>   - Make sure winbind is running
>
>   - Make sure ntlm_auth will successfully authenticate from the
>     shell
>
>   - Make sure permissions/group are right on the winbind privileged
>     socket
here, I missed radius to winbind's fs access.
Now I have
$ radtest -t mschap ...
working, but I don't quite grasp why one has to test with "-t".
When I now test without "-t" it still fails with:

(3)   } # filter_username filter_username = notfound
(3)   [preprocess] = ok
(3)   [chap] = noop
(3)   [mschap] = noop
(3)   [digest] = noop
(3)  suffix : Checking for suffix after "@"
(3)  suffix : Looking up realm "my.domain.local" for 
User-Name = "pe243 at my.domain.local"
(3)  suffix : Found realm "my.domain.local"
(3)  suffix : Adding Stripped-User-Name = "pe243"
(3)  suffix : Adding Realm = "my.domain.local"
(3)  suffix : Authentication realm is LOCAL
(3)   [suffix] = ok
(3)  eap : No EAP-Message, not doing EAP
(3)   [eap] = noop
(3)   [unix] = notfound
(3)   [files] = noop
(3)   [expiration] = noop
(3)   [logintime] = noop
(3)  WARNING: pap : No "known good" password found for the 
user. Not setting Auth-Type
(3)  WARNING: pap : Authentication will fail unless a "known 
good" password is available
(3)   [pap] = noop
(3)  } #  authorize = ok
(3) ERROR: No Auth-Type found: rejecting the user via 
Post-Auth-Type = Reject
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3)  Post-Auth-Type REJECT {
(3)  attr_filter.access_reject : EXPAND %{User-Name}
(3)  attr_filter.access_reject :    --> pe243 at my.domain.local
(3)  attr_filter.access_reject : Matched entry DEFAULT at 
line 11
(3)   [attr_filter.access_reject] = updated
(3)  eap : Request didn't contain an EAP-Message, not 
inserting EAP-Failure
(3)   [eap] = noop
(3)   remove_reply_message_if_eap remove_reply_message_if_eap {
(3)     if (&reply:EAP-Message && &reply:Reply-Message)
(3)     if (&reply:EAP-Message && &reply:Reply-Message)  -> 
FALSE
(3)    else else {
(3)     [noop] = noop
(3)    } # else else = noop
(3)   } # remove_reply_message_if_eap 
remove_reply_message_if_eap = noop
(3)  } # Post-Auth-Type REJECT = updated

thanks a lot!
>
>   - Make sure ntlm_auth will successfully authenticate from the
>     shell when running as the FreeRADIUS user/group
>
>   - Configure and test FreeRADIUS.
>
> If _any_ of the steps is not right then fix that before moving on
> to the next, otherwise it just won't work. This will also give a
> big hint as to where the problem lies.
>
> The above is just as valid when using direct libwbclient
> configuration rather than ntlm_auth.
>
> Matthew
>
>