samba - Feb 2013 - Samba 4 and freeradius

Hi,

My goal is to make use of samba 4 and freeradius to authenticate user to use
wifi network (WPA2 enterprise).

The setup is to setup Samba 4.0.3 in machine A and setup freeradius in machine
B.

By reading: 
Document A: http://wiki.samba.org/index.php/Samba4/beyond
Document B:
https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network
Document C:
http://www.linuxgfx.co.uk/karoshi/documentation/wiki/index.php?title=Samba4_Testing

The testing to bind the samba 4 server from machine B shows successfully:
ldapsearch -x -W -h file.sambadom.org -b
"ou=accounting,dc=sambadom,dc=org" -D
"cn=ldapuser,cn=users,dc=sambadom,dc=org" "(cn=peter)"

Also, ldap module of freeradius is configured as follows (ldap part in
sites-enabled/default and inner-tunnel is configured also.)

/usr/local/freeradius/etc/raddb/modules/ldap 
============================ldap {
        server = "file.sambadom.org"
        password = "asecurepassword"
        identity = "cn=ldapuser,cn=users,dc=samba4,dc=yauoi,dc=org"
        basedn = "ou=accounting,dc=sambadom,dc=org"
        filter =
"(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
        ldap_connections_number = 5
        max_uses = 0
        timeout = 4
        timelimit = 3
        net_timeout = 1
        tls {
                start_tls = no
        }
        dictionary_mapping = ${confdir}/ldap.attrmap
        edir_account_policy_check = no
        keepalive {
                idle = 60
                probes = 3
                interval = 3
        }
}
============================
When I try authentication test in machine B,
eapol_test -c ./peap-mschapv2.conf -s testing123

peap-mschapv2.conf
===================network={
        ssid="amazonforest"
        scan_ssid=1
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="peter"
        #anonymous_identity="anonymous"
        password="asecurepassword"
        phase2="autheap=MSCHAPV2"

        #
        #  Uncomment the following to perform server certificate validation.
        ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.der"
}
===================
The result is failed.


Is there anything I did wrongly?

Kinglok, Fong

I had good luck using NTLM, rather than LDAP. See:
http://freeradius.1045715.n5.nabble.com/Freeradius-How-to-integrate-Active-Directory-AD-Integration-WindowsXP-NTLM-Tutorial-td2745621.html



----- Original Message -----

From: "Fong Kinglok" <busywater at gmail.com> 
To: samba at lists.samba.org 
Sent: Friday, February 22, 2013 10:18:53 AM 
Subject: [Samba] Samba 4 and freeradius 

Hi, 

My goal is to make use of samba 4 and freeradius to authenticate user to use
wifi network (WPA2 enterprise).

The setup is to setup Samba 4.0.3 in machine A and setup freeradius in machine
B.

By reading: 
Document A: http://wiki.samba.org/index.php/Samba4/beyond 
Document B:
https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network
Document C:
http://www.linuxgfx.co.uk/karoshi/documentation/wiki/index.php?title=Samba4_Testing

The testing to bind the samba 4 server from machine B shows successfully: 
ldapsearch -x -W -h file.sambadom.org -b
"ou=accounting,dc=sambadom,dc=org" -D
"cn=ldapuser,cn=users,dc=sambadom,dc=org" "(cn=peter)"

Also, ldap module of freeradius is configured as follows (ldap part in
sites-enabled/default and inner-tunnel is configured also.)

/usr/local/freeradius/etc/raddb/modules/ldap 
============================= 
ldap { 
server = "file.sambadom.org" 
password = "asecurepassword" 
identity = "cn=ldapuser,cn=users,dc=samba4,dc=yauoi,dc=org" 
basedn = "ou=accounting,dc=sambadom,dc=org" 
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" 
ldap_connections_number = 5 
max_uses = 0 
timeout = 4 
timelimit = 3 
net_timeout = 1 
tls { 
start_tls = no 
} 
dictionary_mapping = ${confdir}/ldap.attrmap 
edir_account_policy_check = no 
keepalive { 
idle = 60 
probes = 3 
interval = 3 
} 
} 
============================= 

When I try authentication test in machine B, 
eapol_test -c ./peap-mschapv2.conf -s testing123 

peap-mschapv2.conf 
==================== 
network={ 
ssid="amazonforest" 
scan_ssid=1 
key_mgmt=WPA-EAP 
eap=PEAP 
identity="peter" 
#anonymous_identity="anonymous" 
password="asecurepassword" 
phase2="autheap=MSCHAPV2" 

# 
# Uncomment the following to perform server certificate validation. 
ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.der" 
} 
==================== 

The result is failed. 


Is there anything I did wrongly? 

Kinglok, Fong 


-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba

In fact, I have tried using NTLM already.

I have successfully setup winbind bundled with Samba 4, including the steps to
join Samba 4 as member server and start up winbindd as daemon.

However, I encounter two difficulties with using NTLM to authenticate freeradius
to Samba 4.
- I have to run freeradius as root in order to read output from winbindd.  Even
I change the permission / ownership of /usr/local/samba/var/run/winbindd to
freerad.  It still cannot work!
- I wish to restrict a group of user to use freeradius to authenticate. 
However, adding --require-membership-of to freeradius still cannot work.

Kinglok, Fong


On 27 Feb, 2013, at 11:30 AM, Kristofer <kristofer at cybernetik.net>
wrote:
> I had good luck using NTLM, rather than LDAP.  See:
http://freeradius.1045715.n5.nabble.com/Freeradius-How-to-integrate-Active-Directory-AD-Integration-WindowsXP-NTLM-Tutorial-td2745621.html
> 
> 
> 
> From: "Fong Kinglok" <busywater at gmail.com>
> To: samba at lists.samba.org
> Sent: Friday, February 22, 2013 10:18:53 AM
> Subject: [Samba] Samba 4 and freeradius
> 
> Hi,
> 
> My goal is to make use of samba 4 and freeradius to authenticate user to
use wifi network (WPA2 enterprise).
> 
> The setup is to setup Samba 4.0.3 in machine A and setup freeradius in
machine B.
> 
> By reading: 
> Document A: http://wiki.samba.org/index.php/Samba4/beyond
> Document B:
https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network
> Document C:
http://www.linuxgfx.co.uk/karoshi/documentation/wiki/index.php?title=Samba4_Testing
> 
> The testing to bind the samba 4 server from machine B shows successfully:
> ldapsearch -x -W -h file.sambadom.org -b
"ou=accounting,dc=sambadom,dc=org" -D
"cn=ldapuser,cn=users,dc=sambadom,dc=org" "(cn=peter)"
> 
> Also, ldap module of freeradius is configured as follows (ldap part in
sites-enabled/default and inner-tunnel is configured also.)
> 
> /usr/local/freeradius/etc/raddb/modules/ldap 
> ============================> ldap {
>         server = "file.sambadom.org"
>         password = "asecurepassword"
>         identity =
"cn=ldapuser,cn=users,dc=samba4,dc=yauoi,dc=org"
>         basedn = "ou=accounting,dc=sambadom,dc=org"
>         filter =
"(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
>         ldap_connections_number = 5
>         max_uses = 0
>         timeout = 4
>         timelimit = 3
>         net_timeout = 1
>         tls {
>                 start_tls = no
>         }
>         dictionary_mapping = ${confdir}/ldap.attrmap
>         edir_account_policy_check = no
>         keepalive {
>                 idle = 60
>                 probes = 3
>                 interval = 3
>         }
> }
> ============================> 
> When I try authentication test in machine B,
> eapol_test -c ./peap-mschapv2.conf -s testing123
> 
> peap-mschapv2.conf
> ===================> network={
>         ssid="amazonforest"
>         scan_ssid=1
>         key_mgmt=WPA-EAP
>         eap=PEAP
>         identity="peter"
>         #anonymous_identity="anonymous"
>         password="asecurepassword"
>         phase2="autheap=MSCHAPV2"
> 
>         #
>         #  Uncomment the following to perform server certificate
validation.
>         ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.der"
> }
> ===================> 
> The result is failed.
> 
> 
> Is there anything I did wrongly?
> 
> Kinglok, Fong
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

In my experience from setting it up, I was able to get it to run as the
"radiusd" user (used yum repository on CentOS 6.3 to install
freeradius) without any additional tweaking.

I would recommend running freeradius on a machine other than a Samba 4 domain
controller (assuming you already did that).

I used the Samba 3 winbind that comes in the yum repository for CentOS, and
joined the operating system to the domain and ensured that basic login
authentication worked:

yum install samba-winbind-clients samba-winbind

authconfig --updateall --enablewinbind --enablewinbindauth --smbsecurity=ads
--smbworkgroup=WORKGROUP --winbindjoin=Administrator --smbrealm=ad.domain.com
--winbindtemplatehomedir=/home/%U --enablewinbindusedefaultdomain
--enablewinbindoffline --enablemkhomedir --enablelocauthoriz

Then in /etc/raddb/modules/ntlm_auth, I set the following to ensure that the
users belonged to the "VPN Users" group to authenticate.

exec ntlm_auth {
        wait = yes
        program = "/usr/bin/ntlm_auth --request-nt-key
--domain=AD.DOMAIN.COM --username=%{mschap:User-Name}
--password=%{User-Password} ----require-membership-of=VPN\ Users"
}


On Feb 26, 2013, at 10:17 PM, Kinglok, Fong wrote:
> In fact, I have tried using NTLM already.
> 
> I have successfully setup winbind bundled with Samba 4, including the steps
to join Samba 4 as member server and start up winbindd as daemon.
> 
> However, I encounter two difficulties with using NTLM to authenticate
freeradius to Samba 4.
> - I have to run freeradius as root in order to read output from winbindd. 
Even I change the permission / ownership of /usr/local/samba/var/run/winbindd to
freerad.  It still cannot work!
> - I wish to restrict a group of user to use freeradius to authenticate. 
However, adding --require-membership-of to freeradius still cannot work.
> 
> Kinglok, Fong
> 
> 
> On 27 Feb, 2013, at 11:30 AM, Kristofer <kristofer at cybernetik.net>
wrote:
> 
>> I had good luck using NTLM, rather than LDAP.  See:
http://freeradius.1045715.n5.nabble.com/Freeradius-How-to-integrate-Active-Directory-AD-Integration-WindowsXP-NTLM-Tutorial-td2745621.html
>> 
>> 
>> 
>> From: "Fong Kinglok" <busywater at gmail.com>
>> To: samba at lists.samba.org
>> Sent: Friday, February 22, 2013 10:18:53 AM
>> Subject: [Samba] Samba 4 and freeradius
>> 
>> Hi,
>> 
>> My goal is to make use of samba 4 and freeradius to authenticate user
to use wifi network (WPA2 enterprise).
>> 
>> The setup is to setup Samba 4.0.3 in machine A and setup freeradius in
machine B.
>> 
>> By reading: 
>> Document A: http://wiki.samba.org/index.php/Samba4/beyond
>> Document B:
https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network
>> Document C:
http://www.linuxgfx.co.uk/karoshi/documentation/wiki/index.php?title=Samba4_Testing
>> 
>> The testing to bind the samba 4 server from machine B shows
successfully:
>> ldapsearch -x -W -h file.sambadom.org -b
"ou=accounting,dc=sambadom,dc=org" -D
"cn=ldapuser,cn=users,dc=sambadom,dc=org" "(cn=peter)"
>> 
>> Also, ldap module of freeradius is configured as follows (ldap part in
sites-enabled/default and inner-tunnel is configured also.)
>> 
>> /usr/local/freeradius/etc/raddb/modules/ldap 
>> ============================>> ldap {
>>         server = "file.sambadom.org"
>>         password = "asecurepassword"
>>         identity =
"cn=ldapuser,cn=users,dc=samba4,dc=yauoi,dc=org"
>>         basedn = "ou=accounting,dc=sambadom,dc=org"
>>         filter =
"(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
>>         ldap_connections_number = 5
>>         max_uses = 0
>>         timeout = 4
>>         timelimit = 3
>>         net_timeout = 1
>>         tls {
>>                 start_tls = no
>>         }
>>         dictionary_mapping = ${confdir}/ldap.attrmap
>>         edir_account_policy_check = no
>>         keepalive {
>>                 idle = 60
>>                 probes = 3
>>                 interval = 3
>>         }
>> }
>> ============================>> 
>> When I try authentication test in machine B,
>> eapol_test -c ./peap-mschapv2.conf -s testing123
>> 
>> peap-mschapv2.conf
>> ===================>> network={
>>         ssid="amazonforest"
>>         scan_ssid=1
>>         key_mgmt=WPA-EAP
>>         eap=PEAP
>>         identity="peter"
>>         #anonymous_identity="anonymous"
>>         password="asecurepassword"
>>         phase2="autheap=MSCHAPV2"
>> 
>>         #
>>         #  Uncomment the following to perform server certificate
validation.
>>        
ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.der"
>> }
>> ===================>> 
>> The result is failed.
>> 
>> 
>> Is there anything I did wrongly?
>> 
>> Kinglok, Fong
>> 
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>

On Wed, 2013-02-27 at 12:17 +0800, Kinglok, Fong wrote:
> In fact, I have tried using NTLM already.
> 
> I have successfully setup winbind bundled with Samba 4, including the steps
to join Samba 4 as member server and start up winbindd as daemon.
> 
> However, I encounter two difficulties with using NTLM to authenticate
freeradius to Samba 4.
> - I have to run freeradius as root in order to read output from winbindd. 
Even I change the permission / ownership of /usr/local/samba/var/run/winbindd to
freerad.  It still cannot work!
You need to change the winbind_privileged directory, not the winbindd
directory.  The group ownership of this directory should be a group that
servers doing NTLM authentication (such as squid, apache, pptpd and
freeradius) are in. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

On 27 Feb, 2013, at 2:26 PM, Andrew Bartlett <abartlet at samba.org>
wrote:
> On Wed, 2013-02-27 at 12:17 +0800, Kinglok, Fong wrote:
>> In fact, I have tried using NTLM already.
>> 
>> I have successfully setup winbind bundled with Samba 4, including the
steps to join Samba 4 as member server and start up winbindd as daemon.
>> 
>> However, I encounter two difficulties with using NTLM to authenticate
freeradius to Samba 4.
>> - I have to run freeradius as root in order to read output from
winbindd.  Even I change the permission / ownership of
/usr/local/samba/var/run/winbindd to freerad.  It still cannot work!
> 
> You need to change the winbind_privileged directory, not the winbindd
> directory.  The group ownership of this directory should be a group that
> servers doing NTLM authentication (such as squid, apache, pptpd and
> freeradius) are in. 
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> 
> 
Finally, I got it
/usr/local/samba/var/lib/winbindd_privileged

not
/usr/local/samba/var/lib/winbind_privileged

Thanks.

Kinglok, Fong

On 27 Feb 2013, at 2:26 PM, Andrew Bartlett wrote:
> On Wed, 2013-02-27 at 12:17 +0800, Kinglok, Fong wrote:
>> In fact, I have tried using NTLM already.
>> 
>> I have successfully setup winbind bundled with Samba 4, including the
steps to join Samba 4 as member server and start up winbindd as daemon.
>> 
>> However, I encounter two difficulties with using NTLM to authenticate
freeradius to Samba 4.
>> - I have to run freeradius as root in order to read output from
winbindd.  Even I change the permission / ownership of
/usr/local/samba/var/run/winbindd to freerad.  It still cannot work!
> 
> You need to change the winbind_privileged directory, not the winbindd
> directory.  The group ownership of this directory should be a group that
> servers doing NTLM authentication (such as squid, apache, pptpd and
> freeradius) are in. 
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> 
> 

Thank you all for giving me the hint!

I have solved the problem by making use of ntlm_auth and with group support by

1. change the permission of the winbindd folder
chgrp freerad /usr/local/samba/var/locks/winbindd_privileged
(freerad is the user to run freeradius)

2. edit the file /usr/local/freeradius/etc/raddb/modules/mschap
ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}  
--require-membership-of=MYDOMAIN\\Certain_Group"
(Pay attention to the double back slashes and restart the freeradius)

However, I am still very eager to authenticate user with using ldap directly.  I
cannot fix it as the freeradius log complain: (I have tried binding the samba ac
with administrator)
2013-02-28 00:19:32.393910500 [ldap] performing user authorization for peter
2013-02-28 00:19:32.394014500 [ldap] 	expand: %{Stripped-User-Name} -> 
2013-02-28 00:19:32.394016500 [ldap] 	... expanding second conditional
2013-02-28 00:19:32.394018500 [ldap] 	expand: %{User-Name} -> peter
2013-02-28 00:19:32.394020500 [ldap] 	expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=peter)
2013-02-28 00:19:32.394022500 [ldap] 	expand: ou=Accounting,dc=samdom,dc=org
-> ou=Accounting,dc=samdom,dc=org
2013-02-28 00:19:32.394123500   [ldap] ldap_get_conn: Checking Id: 0
2013-02-28 00:19:32.394125500   [ldap] ldap_get_conn: Got Id: 0
2013-02-28 00:19:32.394127500   [ldap] performing search in
ou=Accounting,dc=samdom,dc=org, with filter (sAMAccountName=peter)
2013-02-28 00:19:32.395423500 [ldap] looking for check items in directory...
2013-02-28 00:19:32.395426500 [ldap] looking for reply items in directory...
2013-02-28 00:19:32.395427500 WARNING: No "known good" password was
found in LDAP.  Are you sure that the user is configured correctly?
2013-02-28 00:19:32.395430500 [ldap] user peter authorized to use remote access

Any hint?

Kinglok, Fong