Authenticating against Active Directory using winbind
Paolo Barbato
paolo.barbato at igi.cnr.it
Thu Sep 13 16:27:09 CEST 2018
> On 11 Sep 2018, at 16:57, Christoffer Jönsson <chrjsn at imap.cc> wrote:
>
> When I first tried to use freeradius on centos it did not work, but the compile it-yourself-tutorial did :).
>
> Also, trying to enable pure winbind from repos results in error: "/etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time"
>
> Anyway, I just installed samba + fr from the repos, joined the AD and ran setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged.
>
> Tried both of these:
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=auth.chrjsn.se --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=auth.chrjsn.se --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
>
> But they both fail with error:
> (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
> (0) mschap: External script failed
> (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
>
> when this works ntlm_auth --username=adtest --domain=auth.chrjsn.se
> Password:
> NT_STATUS_OK: The operation completed successfully. (0x0)
>
Does it work also
ntlm_auth --request-nt-key --domain=auth.chrjsn.se --username=adtest
In mods-enabled/mschap
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
use_mppe = yes
require_encryption = yes
require_strong = yes
authtype = MS-CHAP
with_ntdomain_hack = yes
I think you've also test
kinit adtest
and do
net ads join -U administrator
and nmb winbind and smb are all running
and dns resolve auth.chrjsn.se
Regards,
Paolo.
> So now I'm really confused.
>> Curious to know why you aren't using samba coming with centos...anyway I've just installed for a new deployment a centos 7.5 + samba 4.7 + freeradius 3.0.13 + winbind against AD: it works !
>>
>> The suggested command to set in the proper way the privileges of winbindd_privileged directory is setfacl
>>
>> setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged
>>
>>
>> ...radiusd need also x.
>>
>> Regards,
>> Paolo.
>>
>>
>>> On 11 Sep 2018, at 15:54, Christoffer Jönsson <chrjsn at imap.cc> wrote:
>>>
>>> So I created the radiusd user since there was none created on install and changed the disabled variables to "user = radius group = radius" in radiusd.conf.
>>>
>>> If I did not run "chgrp radiusd /opt/samba4.2/var/locks/winbindd_privileged" freeradius could not connect to winbind.
>>>
>>> But when I did chgrp, I still get the same error. There was also no winbind group/user created by default and I don't know which config to set the group/user.
>>>
>>> I am running CentOS 7.
>>>
>>> Thanks!
>>>
>>>
>>>> hi,
>>>>
>>>> check the permissions of the winbindd_privileged directory - might have
>>>> been changed when samba patched. (ideally you add radiusd to the winbind
>>>> group)
>>>>
>>>> alan
>>>>
>>>> On Tue, 11 Sep 2018 at 12:42, Christoffer Jönsson <chrjsn at imap.cc> wrote:
>>>>
>>>>> Hello! I used this guide a year ago to enable 802.1x on my switches and
>>>>> APs and it worked without any problems to authenticate to my Samba4 AD/DC:
>>>>>
>>>>> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind.
>>>>>
>>>>> Today I am having trouble getting it to work because it wont accept the
>>>>> password when running this command or connecting from switches:
>>>>>
>>>>> "radtest -t mschap adtest Password1 127.0.0.1 0 testing123". And winbind
>>>>> returns this result:
>>>>>
>>>>> "NTLM CRAP authentication for user [auth.chrjsn.se]\[adtest] returned
>>>>> NT_STATUS_WRONG_PASSWORD".
>>>>>
>>>>> But running this command, it authenticates with this result:
>>>>>
>>>>> ntlm_auth --username=adtest --domain=auth.chrjsn.se
>>>>> Password:
>>>>> NT_STATUS_OK: Success (0x0):
>>>>>
>>>>> "Plain-text authentication for user AUTH.CHRJSN.SE\adtest returned
>>>>> NT_STATUS_OK (PAM: 0)"
>>>>>
>>>>> Radiusd reports that password has expired, when it has not. I have reset
>>>>> the password for adtest and administrator with same results.
>>>>>
>>>>> I don't know if there's any new settings or something and I'm really
>>>>> stuck here.
>>>>>
>>>>> It also doesn't matter which version of samba/freeradius I'm using.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See
>>>>> http://www.freeradius.org/list/users.html
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> ------------------------------------------------------------------------------------------------
>> Paolo Barbato
>>
>> Consorzio RFX
>> corso Stati Uniti,4
>> 35127 Padova - Italy
>> Network Administrator
>> phone: +39 049 8295097 fax: +39 049 8700718
>> ------------------------------------------------------------------------------------------------
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> <debugfile.txt>-
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------------------------------
Paolo Barbato
Consorzio RFX
<https://www.igi.cnr.it/>corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------
More information about the Freeradius-Users
mailing list