Hi,
My goal is to make use of samba 4 and freeradius to authenticate user to use
wifi network (WPA2 enterprise).
The setup is to setup Samba 4.0.3 in machine A and setup freeradius in machine
B.
By reading:
Document A: http://wiki.samba.org/index.php/Samba4/beyond
Document B:
https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network
Document C:
http://www.linuxgfx.co.uk/karoshi/documentation/wiki/index.php?title=Samba4_Testing
The testing to bind the samba 4 server from machine B shows successfully:
ldapsearch -x -W -h file.sambadom.org -b
"ou=accounting,dc=sambadom,dc=org" -D
"cn=ldapuser,cn=users,dc=sambadom,dc=org" "(cn=peter)"
Also, ldap module of freeradius is configured as follows (ldap part in
sites-enabled/default and inner-tunnel is configured also.)
/usr/local/freeradius/etc/raddb/modules/ldap
============================ldap {
server = "file.sambadom.org"
password = "asecurepassword"
identity = "cn=ldapuser,cn=users,dc=samba4,dc=yauoi,dc=org"
basedn = "ou=accounting,dc=sambadom,dc=org"
filter =
"(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
max_uses = 0
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
keepalive {
idle = 60
probes = 3
interval = 3
}
}
============================
When I try authentication test in machine B,
eapol_test -c ./peap-mschapv2.conf -s testing123
peap-mschapv2.conf
===================network={
ssid="amazonforest"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="peter"
#anonymous_identity="anonymous"
password="asecurepassword"
phase2="autheap=MSCHAPV2"
#
# Uncomment the following to perform server certificate validation.
ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.der"
}
===================
The result is failed.
Is there anything I did wrongly?
Kinglok, Fong
I had good luck using NTLM, rather than LDAP. See:
http://freeradius.1045715.n5.nabble.com/Freeradius-How-to-integrate-Active-Directory-AD-Integration-WindowsXP-NTLM-Tutorial-td2745621.html
----- Original Message -----
From: "Fong Kinglok" <busywater at gmail.com>
To: samba at lists.samba.org
Sent: Friday, February 22, 2013 10:18:53 AM
Subject: [Samba] Samba 4 and freeradius
Hi,
My goal is to make use of samba 4 and freeradius to authenticate user to use
wifi network (WPA2 enterprise).
The setup is to setup Samba 4.0.3 in machine A and setup freeradius in machine
B.
By reading:
Document A: http://wiki.samba.org/index.php/Samba4/beyond
Document B:
https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network
Document C:
http://www.linuxgfx.co.uk/karoshi/documentation/wiki/index.php?title=Samba4_Testing
The testing to bind the samba 4 server from machine B shows successfully:
ldapsearch -x -W -h file.sambadom.org -b
"ou=accounting,dc=sambadom,dc=org" -D
"cn=ldapuser,cn=users,dc=sambadom,dc=org" "(cn=peter)"
Also, ldap module of freeradius is configured as follows (ldap part in
sites-enabled/default and inner-tunnel is configured also.)
/usr/local/freeradius/etc/raddb/modules/ldap
=============================
ldap {
server = "file.sambadom.org"
password = "asecurepassword"
identity = "cn=ldapuser,cn=users,dc=samba4,dc=yauoi,dc=org"
basedn = "ou=accounting,dc=sambadom,dc=org"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
max_uses = 0
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
keepalive {
idle = 60
probes = 3
interval = 3
}
}
=============================
When I try authentication test in machine B,
eapol_test -c ./peap-mschapv2.conf -s testing123
peap-mschapv2.conf
====================
network={
ssid="amazonforest"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="peter"
#anonymous_identity="anonymous"
password="asecurepassword"
phase2="autheap=MSCHAPV2"
#
# Uncomment the following to perform server certificate validation.
ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.der"
}
====================
The result is failed.
Is there anything I did wrongly?
Kinglok, Fong
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
In fact, I have tried using NTLM already. I have successfully setup winbind bundled with Samba 4, including the steps to join Samba 4 as member server and start up winbindd as daemon. However, I encounter two difficulties with using NTLM to authenticate freeradius to Samba 4. - I have to run freeradius as root in order to read output from winbindd. Even I change the permission / ownership of /usr/local/samba/var/run/winbindd to freerad. It still cannot work! - I wish to restrict a group of user to use freeradius to authenticate. However, adding --require-membership-of to freeradius still cannot work. Kinglok, Fong On 27 Feb, 2013, at 11:30 AM, Kristofer <kristofer at cybernetik.net> wrote:> I had good luck using NTLM, rather than LDAP. See: http://freeradius.1045715.n5.nabble.com/Freeradius-How-to-integrate-Active-Directory-AD-Integration-WindowsXP-NTLM-Tutorial-td2745621.html > > > > From: "Fong Kinglok" <busywater at gmail.com> > To: samba at lists.samba.org > Sent: Friday, February 22, 2013 10:18:53 AM > Subject: [Samba] Samba 4 and freeradius > > Hi, > > My goal is to make use of samba 4 and freeradius to authenticate user to use wifi network (WPA2 enterprise). > > The setup is to setup Samba 4.0.3 in machine A and setup freeradius in machine B. > > By reading: > Document A: http://wiki.samba.org/index.php/Samba4/beyond > Document B: https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network > Document C: http://www.linuxgfx.co.uk/karoshi/documentation/wiki/index.php?title=Samba4_Testing > > The testing to bind the samba 4 server from machine B shows successfully: > ldapsearch -x -W -h file.sambadom.org -b "ou=accounting,dc=sambadom,dc=org" -D "cn=ldapuser,cn=users,dc=sambadom,dc=org" "(cn=peter)" > > Also, ldap module of freeradius is configured as follows (ldap part in sites-enabled/default and inner-tunnel is configured also.) > > /usr/local/freeradius/etc/raddb/modules/ldap > ============================> ldap { > server = "file.sambadom.org" > password = "asecurepassword" > identity = "cn=ldapuser,cn=users,dc=samba4,dc=yauoi,dc=org" > basedn = "ou=accounting,dc=sambadom,dc=org" > filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" > ldap_connections_number = 5 > max_uses = 0 > timeout = 4 > timelimit = 3 > net_timeout = 1 > tls { > start_tls = no > } > dictionary_mapping = ${confdir}/ldap.attrmap > edir_account_policy_check = no > keepalive { > idle = 60 > probes = 3 > interval = 3 > } > } > ============================> > When I try authentication test in machine B, > eapol_test -c ./peap-mschapv2.conf -s testing123 > > peap-mschapv2.conf > ===================> network={ > ssid="amazonforest" > scan_ssid=1 > key_mgmt=WPA-EAP > eap=PEAP > identity="peter" > #anonymous_identity="anonymous" > password="asecurepassword" > phase2="autheap=MSCHAPV2" > > # > # Uncomment the following to perform server certificate validation. > ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.der" > } > ===================> > The result is failed. > > > Is there anything I did wrongly? > > Kinglok, Fong > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
In my experience from setting it up, I was able to get it to run as the
"radiusd" user (used yum repository on CentOS 6.3 to install
freeradius) without any additional tweaking.
I would recommend running freeradius on a machine other than a Samba 4 domain
controller (assuming you already did that).
I used the Samba 3 winbind that comes in the yum repository for CentOS, and
joined the operating system to the domain and ensured that basic login
authentication worked:
yum install samba-winbind-clients samba-winbind
authconfig --updateall --enablewinbind --enablewinbindauth --smbsecurity=ads
--smbworkgroup=WORKGROUP --winbindjoin=Administrator --smbrealm=ad.domain.com
--winbindtemplatehomedir=/home/%U --enablewinbindusedefaultdomain
--enablewinbindoffline --enablemkhomedir --enablelocauthoriz
Then in /etc/raddb/modules/ntlm_auth, I set the following to ensure that the
users belonged to the "VPN Users" group to authenticate.
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key
--domain=AD.DOMAIN.COM --username=%{mschap:User-Name}
--password=%{User-Password} ----require-membership-of=VPN\ Users"
}
On Feb 26, 2013, at 10:17 PM, Kinglok, Fong wrote:
> In fact, I have tried using NTLM already.
>
> I have successfully setup winbind bundled with Samba 4, including the steps
to join Samba 4 as member server and start up winbindd as daemon.
>
> However, I encounter two difficulties with using NTLM to authenticate
freeradius to Samba 4.
> - I have to run freeradius as root in order to read output from winbindd.
Even I change the permission / ownership of /usr/local/samba/var/run/winbindd to
freerad. It still cannot work!
> - I wish to restrict a group of user to use freeradius to authenticate.
However, adding --require-membership-of to freeradius still cannot work.
>
> Kinglok, Fong
>
>
> On 27 Feb, 2013, at 11:30 AM, Kristofer <kristofer at cybernetik.net>
wrote:
>
>> I had good luck using NTLM, rather than LDAP. See:
http://freeradius.1045715.n5.nabble.com/Freeradius-How-to-integrate-Active-Directory-AD-Integration-WindowsXP-NTLM-Tutorial-td2745621.html
>>
>>
>>
>> From: "Fong Kinglok" <busywater at gmail.com>
>> To: samba at lists.samba.org
>> Sent: Friday, February 22, 2013 10:18:53 AM
>> Subject: [Samba] Samba 4 and freeradius
>>
>> Hi,
>>
>> My goal is to make use of samba 4 and freeradius to authenticate user
to use wifi network (WPA2 enterprise).
>>
>> The setup is to setup Samba 4.0.3 in machine A and setup freeradius in
machine B.
>>
>> By reading:
>> Document A: http://wiki.samba.org/index.php/Samba4/beyond
>> Document B:
https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network
>> Document C:
http://www.linuxgfx.co.uk/karoshi/documentation/wiki/index.php?title=Samba4_Testing
>>
>> The testing to bind the samba 4 server from machine B shows
successfully:
>> ldapsearch -x -W -h file.sambadom.org -b
"ou=accounting,dc=sambadom,dc=org" -D
"cn=ldapuser,cn=users,dc=sambadom,dc=org" "(cn=peter)"
>>
>> Also, ldap module of freeradius is configured as follows (ldap part in
sites-enabled/default and inner-tunnel is configured also.)
>>
>> /usr/local/freeradius/etc/raddb/modules/ldap
>> ============================>> ldap {
>> server = "file.sambadom.org"
>> password = "asecurepassword"
>> identity =
"cn=ldapuser,cn=users,dc=samba4,dc=yauoi,dc=org"
>> basedn = "ou=accounting,dc=sambadom,dc=org"
>> filter =
"(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
>> ldap_connections_number = 5
>> max_uses = 0
>> timeout = 4
>> timelimit = 3
>> net_timeout = 1
>> tls {
>> start_tls = no
>> }
>> dictionary_mapping = ${confdir}/ldap.attrmap
>> edir_account_policy_check = no
>> keepalive {
>> idle = 60
>> probes = 3
>> interval = 3
>> }
>> }
>> ============================>>
>> When I try authentication test in machine B,
>> eapol_test -c ./peap-mschapv2.conf -s testing123
>>
>> peap-mschapv2.conf
>> ===================>> network={
>> ssid="amazonforest"
>> scan_ssid=1
>> key_mgmt=WPA-EAP
>> eap=PEAP
>> identity="peter"
>> #anonymous_identity="anonymous"
>> password="asecurepassword"
>> phase2="autheap=MSCHAPV2"
>>
>> #
>> # Uncomment the following to perform server certificate
validation.
>>
ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.der"
>> }
>> ===================>>
>> The result is failed.
>>
>>
>> Is there anything I did wrongly?
>>
>> Kinglok, Fong
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
On Wed, 2013-02-27 at 12:17 +0800, Kinglok, Fong wrote:> In fact, I have tried using NTLM already. > > I have successfully setup winbind bundled with Samba 4, including the steps to join Samba 4 as member server and start up winbindd as daemon. > > However, I encounter two difficulties with using NTLM to authenticate freeradius to Samba 4. > - I have to run freeradius as root in order to read output from winbindd. Even I change the permission / ownership of /usr/local/samba/var/run/winbindd to freerad. It still cannot work!You need to change the winbind_privileged directory, not the winbindd directory. The group ownership of this directory should be a group that servers doing NTLM authentication (such as squid, apache, pptpd and freeradius) are in. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
On 27 Feb, 2013, at 2:26 PM, Andrew Bartlett <abartlet at samba.org> wrote:> On Wed, 2013-02-27 at 12:17 +0800, Kinglok, Fong wrote: >> In fact, I have tried using NTLM already. >> >> I have successfully setup winbind bundled with Samba 4, including the steps to join Samba 4 as member server and start up winbindd as daemon. >> >> However, I encounter two difficulties with using NTLM to authenticate freeradius to Samba 4. >> - I have to run freeradius as root in order to read output from winbindd. Even I change the permission / ownership of /usr/local/samba/var/run/winbindd to freerad. It still cannot work! > > You need to change the winbind_privileged directory, not the winbindd > directory. The group ownership of this directory should be a group that > servers doing NTLM authentication (such as squid, apache, pptpd and > freeradius) are in. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > >Finally, I got it /usr/local/samba/var/lib/winbindd_privileged not /usr/local/samba/var/lib/winbind_privileged Thanks. Kinglok, Fong
On 27 Feb 2013, at 2:26 PM, Andrew Bartlett wrote:> On Wed, 2013-02-27 at 12:17 +0800, Kinglok, Fong wrote: >> In fact, I have tried using NTLM already. >> >> I have successfully setup winbind bundled with Samba 4, including the steps to join Samba 4 as member server and start up winbindd as daemon. >> >> However, I encounter two difficulties with using NTLM to authenticate freeradius to Samba 4. >> - I have to run freeradius as root in order to read output from winbindd. Even I change the permission / ownership of /usr/local/samba/var/run/winbindd to freerad. It still cannot work! > > You need to change the winbind_privileged directory, not the winbindd > directory. The group ownership of this directory should be a group that > servers doing NTLM authentication (such as squid, apache, pptpd and > freeradius) are in. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > >Thank you all for giving me the hint! I have solved the problem by making use of ntlm_auth and with group support by 1. change the permission of the winbindd folder chgrp freerad /usr/local/samba/var/locks/winbindd_privileged (freerad is the user to run freeradius) 2. edit the file /usr/local/freeradius/etc/raddb/modules/mschap ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=MYDOMAIN\\Certain_Group" (Pay attention to the double back slashes and restart the freeradius) However, I am still very eager to authenticate user with using ldap directly. I cannot fix it as the freeradius log complain: (I have tried binding the samba ac with administrator) 2013-02-28 00:19:32.393910500 [ldap] performing user authorization for peter 2013-02-28 00:19:32.394014500 [ldap] expand: %{Stripped-User-Name} -> 2013-02-28 00:19:32.394016500 [ldap] ... expanding second conditional 2013-02-28 00:19:32.394018500 [ldap] expand: %{User-Name} -> peter 2013-02-28 00:19:32.394020500 [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=peter) 2013-02-28 00:19:32.394022500 [ldap] expand: ou=Accounting,dc=samdom,dc=org -> ou=Accounting,dc=samdom,dc=org 2013-02-28 00:19:32.394123500 [ldap] ldap_get_conn: Checking Id: 0 2013-02-28 00:19:32.394125500 [ldap] ldap_get_conn: Got Id: 0 2013-02-28 00:19:32.394127500 [ldap] performing search in ou=Accounting,dc=samdom,dc=org, with filter (sAMAccountName=peter) 2013-02-28 00:19:32.395423500 [ldap] looking for check items in directory... 2013-02-28 00:19:32.395426500 [ldap] looking for reply items in directory... 2013-02-28 00:19:32.395427500 WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? 2013-02-28 00:19:32.395430500 [ldap] user peter authorized to use remote access Any hint? Kinglok, Fong