Hi Matthias, we?re using Debian Bullseye with the backports repo. So version is a mixture of - Samba version 4.17.3-Debian - Samba version 4.17.7-Debian We?ve installed it directly on the DC?s as well. In my opinion using "ntlm auth = yes? should be fine. Did you try using a simple RADIUS secret? In my experience long secrets or ones containing special characters don?t work very well. I would use alphanumerical only and no longer than 16 chars. We successfully use it to authenticate UniFi clients and IKEv2 roadwarriors (using OPNsense). I believe you set lanman auth = yes as well, right? Does Samba give you anything in the logs? That way you might be able to narrow it down? Alexander> On Wednesday, Apr 12, 2023 at 12:21 PM, Matthias K?hne | Ellerhold Aktiengesellschaft via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote: > Hello Alexander, > > thanks Alexander for these configuration snippets. > > Which version of Samba are you using? Is this on debian bullseye? Is the > FreeRADIUS server installed on a DC or on a Domain Member? (I just > tested the latter). > > is "ntlm auth = yes" OK for the DCs and the domain member or does it > have to be "mschapv2-and-ntlmv2-only" for all servers (DCs + Member)? It > looks like "yes" is broader and it should work? Sadly we need "yes" for > other applications... > > Im sad to say that I cant get it to work. Neither "radtest" nor my > Ubiquity APs... > > I always get > > (3) mschap: ERROR: When trying to update a password, this return status > indicates that the value provided as the current password is not > correct. [0xC000006A] > (3) mschap: ERROR: MS-CHAP2-Response is incorrect > > Similar error while using "ntlm_auth" instead of the direct winbind > connections. > > Using ntlm_auth with --username and --password works. Using ntlm_auth > with --challenge results in the same error message above. > > Any help would be much appreciated, otherwise we're going to switch to > SQL or file based auth (with cleartext password *shudder*). > > Thanks and have a nice day, Matthias. > > Am 06.04.23 um 09:56 schrieb Alexander Harm || ApfelQ via samba: > > I can share my notes, we authenticate UniFi clients via Freeradius against Samba AD. We also check group membership which you might or might not need: > > > > ## 4 FreeRADIUS > > > > ### 4.1 Basics > > > > ```bash > > apt install freeradius freeradius-ldap freeradius-utils > > > > # create new DH-params > > openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048 > > ``` > > > > ### 4.2 Configure Authentication > > > > - modify mschap to use winbind, uncomment the following lines > > > > ``` > > # /etc/freeradius/3.0/mods-available/mschap > > require_encryption = yes > > require_strong = yes > > winbind_username = "%{mschap:User-Name}" > > winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}" > > winbind_retry_with_normalised_username = yes > > ``` > > > > - add to global section in samba conf > > > > ``` > > # /etc/samba/smb.conf > > ntlm auth = mschapv2-and-ntlmv2-only > > ``` > > > > - fix perms and restart > > > > ```bash > > usermod -a -G winbindd_priv freerad > > service freeradius restart > > service samba-ad-dc restart > > ``` > > > > ### 4.3 Configure LDAP (group information) > > > > - enable ldap > > > > ```bash > > cd /etc/freeradius/3.0/mods-enabled > > ln -s ../mods-available/ldap ldap > > chown -h freerad:freerad ldap > > ``` > > > > - modify module ldap to retrieve group information > > > > ``` > > # /etc/freeradius/3.0/mods-available/ldap > > server = '10.0.1.250' > > server = '10.0.1.251' > > identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com' > > password = *** > > base_dn = 'cn=users,dc=ds,dc=example,dc=com' > > user: filter = "(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))" > > group: filter = "(objectClasse=group)" > > group: membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})" > > start_tls = yes > > ca_file = /etc/ssl/certs/ca-certificates.crt > > ``` > > > > ### 4.4 Configure EAP > > > > - add root.ca and services.ca to certificate store > > > > ```bash > > cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/ > > cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/ > > update-ca-certificates > > ``` > > > > - add radius cert and key > > > > ```bash > > cp /home/dcadmin/service.radius.key /etc/freeradius/3.0/certs/service.radius.key > > cp /home/dcadmin/service.radius.crt /etc/freeradius/3.0/certs/service.radius.crt > > > > chmod 640 /etc/freeradius/3.0/certs/service.radius.* > > chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.* > > ``` > > > > - configure eap module to use peap per default > > > > ``` > > # /etc/freeradius/3.0/mods-available/eap > > default_eap_type = peap > > > > #private_key_password = whatever > > private_key_file = ${certdir}/service.radius.key > > certificate_file = ${certdir}/service.radius.crt > > > > tls_min_version = "1.2" > > > > cache: enable = yes > > cache: name = ?<somename>.radius" > > cache: persist_dir = "${logdir}/tlscache" > > > > peap: copy_request_to_tunnel = yes > > ``` > > > > ### 4.5 Configure Clients > > > > - add client for UniFi > > > > ``` > > # /etc/freeradius/3.0/clients.conf > > client unifi { > > ipaddr = 10.0.1.0/24 > > secret = *** > > } > > ``` > > > > ### 4.6 Configure Authorization > > > > - devices/user via EAP > > > > ``` > > # /etc/freeradius/3.0/sites-enabled/inner-tunnel > > post-auth { > > if (!(Ldap-Group == ?SOMEGROUP")) { > > reject > > } > > ``` > > > > ### 4.7 Finish > > > > ```bash > > service freeradius restart > > ``` > > > > > On Thursday, Apr 06, 2023 at 9:46 AM, Matthias K?hne | Ellerhold Aktiengesellschaft via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote: > > > Hello Tim, Hello samba-people, > > > > > > is there an uptodate guide for authenticating via freeradius somewhere? > > > > > > I have some Ubiquiti APs plus a Cloud Key and I want to authenticate > > > WLAN clients via WPA2-Enterprise instead of a (shared) PSK. > > > > > > It seems like > > > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory > > > is missing some steps (basic setup of freeradius). > > > > > > Can you write up some of your findings please? > > > > > > Thanks and happy holidays, > > > Matthias. > > > > > > Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba: > > > > Dear All, > > > > > > > > Well, this is very embarrassing.... > > > > > > > > It seems that running 'smbcontrol all reload-config' isn't sufficient for reloading the ntlm config parameters. > > > > > > > > I tried restarting the whole samba service on the DC my FR box was authenticating against (systemctl restart sernet-samba-ad) and my test laptop is now connected to the network on the correct VLAN. > > > > > > > > I apologise for wasting everyone's time - now I'll get back to cleaning up all the config files and making sure BYOD still works etc. > > > > > > > > Thank you, > > > > > > > > Tim > > > -- > > > Senior Webentwickler > > > Datenschutzbeauftragter > > > > > > Ellerhold Aktiengesellschaft > > > Friedrich-List-Str. 4 > > > 01445 Radebeul > > > > > > Telefon: +49 (0) 351 83933-61 > > > Web: www.ellerhold.de > > > Facebook: www.facebook.com/ellerhold.gruppe > > > Instagram: www.instagram.com/ellerhold.gruppe > > > Twitter: https://twitter.com/EllerholdGruppe > > > > > > Amtsgericht Dresden / HRB 23769 > > > Vorstand: Stephan Ellerhold, Maximilian Ellerhold > > > Vorsitzender des Aufsichtsrates: Frank Ellerhold > > > > > > > > > > > > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. > > > > > > Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ > > > > > > This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. > > > > > > You can find our privacy policy here: http://www.ellerhold.de/datenschutz/ > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > -- > Senior Webentwickler > Datenschutzbeauftragter > > Ellerhold Aktiengesellschaft > Friedrich-List-Str. 4 > 01445 Radebeul > > Telefon: +49 (0) 351 83933-61 > Web: www.ellerhold.de > Facebook: www.facebook.com/ellerhold.gruppe > Instagram: www.instagram.com/ellerhold.gruppe > Twitter: https://twitter.com/EllerholdGruppe > > Amtsgericht Dresden / HRB 23769 > Vorstand: Stephan Ellerhold, Maximilian Ellerhold > Vorsitzender des Aufsichtsrates: Frank Ellerhold > > > > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. > > Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ > > This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. > > You can find our privacy policy here: http://www.ellerhold.de/datenschutz/ > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Matthias Kühne | Ellerhold Aktiengesellschaft
2023-Apr-12 11:27 UTC
[Samba] Fwd: ntlm_auth and freeradius
Hi Alexander, I'm terribly sorry. We didnt have the "ntlm auth" parameter configured on the DCs at all. I added it and it just works. Thanks for your help. Now I just need to figure out how I can make WLAN-specific LDAP-Group authentication. e. g. production WLAN needs LDAP group "wlan_production" and management WLAN needs the "wlan_management" group. I guess post_auth may be the correct place for that. You've helped tremendously, thanks again! Am 12.04.23 um 13:20 schrieb Alexander Harm || ApfelQ:> Hi Matthias, > > we?re using Debian Bullseye with the backports repo. So version is a > mixture of > > -?Samba version 4.17.3-Debian > -?Samba version 4.17.7-Debian > > We?ve installed it directly on the DC?s as well. > > In my opinion using ?"ntlm auth = yes? should be fine. > > Did you try using a simple RADIUS secret? In my experience long > secrets or ones containing special characters ?don?t work very well. I > would use alphanumerical only and no longer than 16 chars. > > We successfully use it to authenticate UniFi clients and IKEv2 > roadwarriors (using OPNsense). > > I believe you set > > lanman auth = yes > > as well, right? > > Does Samba give you anything in the logs? That way you might be able > to narrow it down? > > Alexander > > On Wednesday, Apr 12, 2023 at 12:21 PM, Matthias K?hne | Ellerhold > Aktiengesellschaft via samba <samba at lists.samba.org> wrote: > Hello Alexander, > > thanks Alexander for these configuration snippets. > > Which version of Samba are you using? Is this on debian bullseye? > Is the > FreeRADIUS server installed on a DC or on a Domain Member? (I just > tested the latter). > > is "ntlm auth = yes" OK for the DCs and the domain member or does it > have to be "mschapv2-and-ntlmv2-only" for all servers (DCs + > Member)? It > looks like "yes" is broader and it should work? Sadly we need > "yes" for > other applications... > > Im sad to say that I cant get it to work. Neither "radtest" nor my > Ubiquity APs... > > I always get > > (3) mschap: ERROR: When trying to update a password, this return > status > indicates that the value provided as the current password is not > correct. [0xC000006A] > (3) mschap: ERROR: MS-CHAP2-Response is incorrect > > Similar error while using "ntlm_auth" instead of the direct winbind > connections. > > Using ntlm_auth with --username and --password works. Using ntlm_auth > with --challenge results in the same error message above. > > Any help would be much appreciated, otherwise we're going to > switch to > SQL or file based auth (with cleartext password *shudder*). > > Thanks and have a nice day, Matthias. > > Am 06.04.23 um 09:56 schrieb Alexander Harm || ApfelQ via samba: >> I can share my notes, we authenticate UniFi clients via >> Freeradius against Samba AD. We also check group membership which >> you might or might not need: >> >> ## 4 FreeRADIUS >> >> ### 4.1 Basics >> >> ```bash >> apt install freeradius freeradius-ldap freeradius-utils >> >> # create new DH-params >> openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048 >> ``` >> >> ### 4.2 Configure Authentication >> >> - modify mschap to use winbind, uncomment the following lines >> >> ``` >> # /etc/freeradius/3.0/mods-available/mschap >> require_encryption = yes >> require_strong = yes >> winbind_username = "%{mschap:User-Name}" >> winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}" >> winbind_retry_with_normalised_username = yes >> ``` >> >> - add to global section in samba conf >> >> ``` >> # /etc/samba/smb.conf >> ntlm auth = mschapv2-and-ntlmv2-only >> ``` >> >> - fix perms and restart >> >> ```bash >> usermod -a -G winbindd_priv freerad >> service freeradius restart >> service samba-ad-dc restart >> ``` >> >> ### 4.3 Configure LDAP (group information) >> >> - enable ldap >> >> ```bash >> cd /etc/freeradius/3.0/mods-enabled >> ln -s ../mods-available/ldap ldap >> chown -h freerad:freerad ldap >> ``` >> >> - modify module ldap to retrieve group information >> >> ``` >> # /etc/freeradius/3.0/mods-available/ldap >> server = '10.0.1.250' >> server = '10.0.1.251' >> identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com' >> password = *** >> base_dn = 'cn=users,dc=ds,dc=example,dc=com' >> user: filter >> "(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))" >> group: filter = "(objectClasse=group)" >> group: membership_filter >> "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})" >> start_tls = yes >> ca_file = /etc/ssl/certs/ca-certificates.crt >> ``` >> >> ### 4.4 Configure EAP >> >> - add root.ca and services.ca to certificate store >> >> ```bash >> cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/ >> cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/ >> update-ca-certificates >> ``` >> >> - add radius cert and key >> >> ```bash >> cp /home/dcadmin/service.radius.key >> /etc/freeradius/3.0/certs/service.radius.key >> cp /home/dcadmin/service.radius.crt >> /etc/freeradius/3.0/certs/service.radius.crt >> >> chmod 640 /etc/freeradius/3.0/certs/service.radius.* >> chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.* >> ``` >> >> - configure eap module to use peap per default >> >> ``` >> # /etc/freeradius/3.0/mods-available/eap >> default_eap_type = peap >> >> #private_key_password = whatever >> private_key_file = ${certdir}/service.radius.key >> certificate_file = ${certdir}/service.radius.crt >> >> tls_min_version = "1.2" >> >> cache: enable = yes >> cache: name = ?<somename>.radius" >> cache: persist_dir = "${logdir}/tlscache" >> >> peap: copy_request_to_tunnel = yes >> ``` >> >> ### 4.5 Configure Clients >> >> - add client for UniFi >> >> ``` >> # /etc/freeradius/3.0/clients.conf >> client unifi { >> ipaddr = 10.0.1.0/24 >> secret = *** >> } >> ``` >> >> ### 4.6 Configure Authorization >> >> - devices/user via EAP >> >> ``` >> # /etc/freeradius/3.0/sites-enabled/inner-tunnel >> post-auth { >> if (!(Ldap-Group == ?SOMEGROUP")) { >> reject >> } >> ``` >> >> ### 4.7 Finish >> >> ```bash >> service freeradius restart >> ``` >> >>> On Thursday, Apr 06, 2023 at 9:46 AM, Matthias K?hne | Ellerhold >>> Aktiengesellschaft via samba <samba at lists.samba.org >>> (mailto:samba at lists.samba.org)> wrote: >>> Hello Tim, Hello samba-people, >>> >>> is there an uptodate guide for authenticating via freeradius >>> somewhere? >>> >>> I have some Ubiquiti APs plus a Cloud Key and I want to authenticate >>> WLAN clients via WPA2-Enterprise instead of a (shared) PSK. >>> >>> It seems like >>> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory >>> is missing some steps (basic setup of freeradius). >>> >>> Can you write up some of your findings please? >>> >>> Thanks and happy holidays, >>> Matthias. >>> >>> Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba: >>>> Dear All, >>>> >>>> Well, this is very embarrassing.... >>>> >>>> It seems that running 'smbcontrol all reload-config' isn't >>>> sufficient for reloading the ntlm config parameters. >>>> >>>> I tried restarting the whole samba service on the DC my FR box >>>> was authenticating against (systemctl restart sernet-samba-ad) >>>> and my test laptop is now connected to the network on the >>>> correct VLAN. >>>> >>>> I apologise for wasting everyone's time - now I'll get back to >>>> cleaning up all the config files and making sure BYOD still >>>> works etc. >>>> >>>> Thank you, >>>> >>>> Tim >>> -- >>> Senior Webentwickler >>> Datenschutzbeauftragter >>> >>> Ellerhold Aktiengesellschaft >>> Friedrich-List-Str. 4 >>> 01445 Radebeul >>> >>> Telefon: +49 (0) 351 83933-61 >>> Web: www.ellerhold.de >>> Facebook: www.facebook.com/ellerhold.gruppe >>> Instagram: www.instagram.com/ellerhold.gruppe >>> Twitter: https://twitter.com/EllerholdGruppe >>> >>> Amtsgericht Dresden / HRB 23769 >>> Vorstand: Stephan Ellerhold, Maximilian Ellerhold >>> Vorsitzender des Aufsichtsrates: Frank Ellerhold >>> >>> >>> >>> ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche >>> Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, >>> so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser >>> E-Mail und der Anlagen. >>> >>> Unsere Hinweise zum Datenschutz finden Sie hier: >>> http://www.ellerhold.de/datenschutz/ >>> >>> This e-mail and its attachments are privileged and confidential. >>> If you are not the intended recipient, please notify us and >>> immediately delete this e-mail and its attachments. >>> >>> You can find our privacy policy here: >>> http://www.ellerhold.de/datenschutz/ >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba > > -- > Senior Webentwickler > Datenschutzbeauftragter > > Ellerhold Aktiengesellschaft > Friedrich-List-Str. 4 > 01445 Radebeul > > Telefon: +49 (0) 351 83933-61 > Web: www.ellerhold.de > Facebook: www.facebook.com/ellerhold.gruppe > Instagram: www.instagram.com/ellerhold.gruppe > Twitter: https://twitter.com/EllerholdGruppe > > Amtsgericht Dresden / HRB 23769 > Vorstand: Stephan Ellerhold, Maximilian Ellerhold > Vorsitzender des Aufsichtsrates: Frank Ellerhold > > > > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche > Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, > so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser > E-Mail und der Anlagen. > > Unsere Hinweise zum Datenschutz finden Sie hier: > http://www.ellerhold.de/datenschutz/ > > This e-mail and its attachments are privileged and confidential. > If you are not the intended recipient, please notify us and > immediately delete this e-mail and its attachments. > > You can find our privacy policy here: > http://www.ellerhold.de/datenschutz/ > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Web:www.ellerhold.de Facebook:www.facebook.com/ellerhold.gruppe Instagram:www.instagram.com/ellerhold.gruppe Twitter:https://twitter.com/EllerholdGruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/