EAP-MSCHAPv2 and AD Authentication w/o ntlm_auth

BOUILLOUD Corentin cbouilloud at systra.com
Mon Jul 10 14:11:04 UTC 2023 

Hi everyone, nice to meet you,

I would like to use Kerberos instead of ntlm_auth to authenticate AD users with FreeRADIUS.
I configured 'mschap' module to directly use winbind daemon directly and, If I understood samba documentation properly,
winbindd can't authenticate users himself. It uses 'pam_winbind' module that we can configure to use Kerberos.
Could you confirm me that it is correct and/or possible in another way ?

mods-enabled/mschap
        #
        #  An alternative to using ntlm_auth is to connect to the
        #  winbind daemon directly for authentication. This option
        #  is likely to be faster and may be useful on busy systems,
        #  but is less well tested.
        #
        #  Using this option requires libwbclient from Samba 4.2.1
        #  or later to be installed. Make sure that ntlm_auth above is
        #  commented out.
        #
         winbind_username = "%{mschap:User-Name}"
         winbind_domain = "%{mschap:NT-Domain}"

https://www.samba.org/samba/docs/current/man-html/winbindd.8.html
The service provided by winbindd is called `winbind' and can be used to resolve user and group information from a Windows NT server.
The service can also provide authentication services via an associated PAM module.

https://www.samba.org/samba/docs/current/man-html/pam_winbind.8.html
krb5_auth
    pam_winbind can authenticate using Kerberos when winbindd is talking to an Active Directory domain controller.
    Kerberos authentication must be enabled with this parameter.


========================================================
This message has been scanned for malware. This message and any attachments (the "message") are confidential, intended solely for the addressees, and may contain legally privileged information. Any unauthorised use or dissemination is prohibited. E-mails are susceptible to alteration. Neither our company or any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified.
=========================================================
Ce message a ete verifie et ne contient pas de programme malveillant. Ce message et toutes les pieces jointes (ci-apres le "message") sont confidentiels et susceptibles de contenir des informations couvertes par le secret professionnel. Ce message est etabli a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite. Tout message electronique est susceptible d'alteration. Notre societe et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme falsifie. O
=========================================================

More information about the Freeradius-Users mailing list