(freeradius 3) I'm trying to integrate freeradius with active directory in cenos 7.

Marcelo Martinez marcelo.martinez at nexa.com.uy
Mon Sep 19 20:33:02 CEST 2016


I'M trying with alan's guide...


samba* krb5-workstation installed.

[root at test-radius-test ~]# net ads testjoin
Join is OK
[root at test-radius-test ~]# net ads -P status
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: prueba
distinguishedName: CN=prueba,OU=Equipos Ingresados,DC=test,DC=local
instanceType: 4
whenCreated: 20160919172713.0Z
whenChanged: 20160919180107.0Z
uSNCreated: 50294994
uSNChanged: 50296026
name: prueba
objectGUID: 5e8b64aa-ca7f-498a-93d3-528499b2dae1
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 131187828520486649
localPolicyFlags: 0
pwdLastSet: 131187816675599507
primaryGroupID: 515
objectSid: S-1-5-21-2352482657-3702507256-981139051-8571
accountExpires: 9223372036854775807
logonCount: 11
sAMAccountName: prueba$
sAMAccountType: 805306369
dNSHostName: prueba.test.local
servicePrincipalName: HOST/prueba.test.local
servicePrincipalName: HOST/PRUEBA
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=test,DC=local
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
mS-DS-CreatorSID: S-1-5-21-2352482657-3702507256-981139051-1925
lastLogonTimestamp: 131187797472772194
[root at test-radius-test ~]# net join -U testing
Enter testing's password:
Failed to join domain: failed to set machine kerberos encryption types:
Insufficient access
ADS join did not work, falling back to RPC...
[root at test-radius-test ~]# kinit
Password for testing at TEST.LOCAL:
[root at test-radius-test ~]#
[root at test-radius-test ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
default_realm = test.LOCAL
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }
test.local = {
      kdc = test.local
admin_server = test.local
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
[domain_realm]
.example.com = test.LOCAL
example.com = test.LOCAL

allow_weak_crypto=true
[root at test-radius-test ~]#

Also I configured smb.conf adding:
password server = test.local
realm = test.local
workgroup = test
security = ads

ssh conf:

#Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken ye
KerberosUseKuserok yes

#GSSAPI options
GSSAPIAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no



Any help please?

Thanks.-

On Mon, Sep 19, 2016 at 9:29 AM, A.L.M.Buxey [via FreeRADIUS] <
ml-node+s1045715n5742609h63 at n5.nabble.com> wrote:

> Hi,
>
> > I saw this link and tryied these steps...
> >
> > ntlm_auth --request-nt-key --domain=TEST.UY --username=administrator
> > --password=xxxx
> > could not obtain winbind separator!
>
> winbind running?  smb.conf correctly configured?
>
> > I already joined the Active Directory domain with the procedure
> previously
> > posted, I need to start from here and not undo my working
>  configuration.
>
> why have you done it the way you have?  the 'net ads join' method is
> trvial and usual.
> those sssd packages you've installed are 'interesting' from my experience.
>
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://freeradius.1045715.n5.nabble.com/freeradius-3-I-m-
> trying-to-integrate-freeradius-with-active-directory-in-cenos-7-
> tp5742598p5742609.html
> To unsubscribe from FreeRADIUS, click here
> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740692&code=bWFyY2Vsby5tYXJ0aW5lekBuZXhhLmNvbS51eXwyNzQwNjkyfC0xNzQ0NzUzNjYy>
> .
> NAML
> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>


More information about the Freeradius-Users mailing list