Someone from FreeRadius suggested I post over here, that Louis recently
went down a similar path and might be able to help.
I have a Unifi wireless controller that I want to offer RADIUS
authentication. The controller points to the latest version of FreeRadius.
Finally, this uses a Samba 4 instance, with integrated LDAP as my PDC. All
are running Ubuntu 18.04.
I started from scratch and followed this:
https://blog.stevedong.com/post/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10/.
The following pass:
- wbinfo -a <user>%<password>
- ntlm_auth --request-nt-key --domain=TESTING --username=<user>
--password=<password>"
- radtest <domain_accout> <password> localhost 0 testing123
The following fail:
- radtest -t mschap <user> <password> localhost 0 testing123
Running this gives me "bad username/password" on freeradius. I can see
something similar in the samba logs. My assumption is there's something up
with this line: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=TESTING --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}".
What your missing is in above page.> https://blog.stevedong.com/post/how-to-install-and-configure-freeradius- > with-active-directory-allow-allow-specific-group-of-users-to-authenticate- > in-debian-10/.In here, well, this - .LOCAL as example. I'll ignore that ,but please dont use .local (or .lan) - Modify /etc/krb5.conf, a normal setup, does not need any change at all. ( but what is shown isnt wrong ) - For using ntlm_auth: ( solution in below link ) https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tyler Montney via > samba > Verzonden: dinsdag 23 februari 2021 21:34 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba + FreeRadius + Ubiquiti > > Someone from FreeRadius suggested I post over here, that Louis recently > went down a similar path and might be able to help. > > I have a Unifi wireless controller that I want to offer RADIUS > authentication. The controller points to the latest version of FreeRadius. > Finally, this uses a Samba 4 instance, with integrated LDAP as my PDC. All > are running Ubuntu 18.04. > > I started from scratch and followed this: > https://blog.stevedong.com/post/how-to-install-and-configure-freeradius- > with-active-directory-allow-allow-specific-group-of-users-to-authenticate- > in-debian-10/. > The following pass: > > - wbinfo -a <user>%<password> > - ntlm_auth --request-nt-key --domain=TESTING --username=<user> > --password=<password>" > - radtest <domain_accout> <password> localhost 0 testing123 > > The following fail: > > - radtest -t mschap <user> <password> localhost 0 testing123 > > Running this gives me "bad username/password" on freeradius. I can see > something similar in the samba logs. My assumption is there's something up > with this line: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --domain=TESTING --username=%{%{Stripped-User-Name}:-%{%{User-Name}:- > None}} > --challenge=%{%{mschap:Challenge}:-00} > --nt-response=%{%{mschap:NT-Response}:-00}". > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hi Tyler,
I am running a similar scenario with the following ntlm_auth line in
/etc/raddb/mods-enabled/mschap:
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
--username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
However, I have recently moved to the direct usage of Winbind instead of
going via ntlm_auth which is much faster.
Best regards
Johannes
Am Di., 23. Feb. 2021 um 21:35 Uhr schrieb Tyler Montney via samba <
samba at lists.samba.org>:
> Someone from FreeRadius suggested I post over here, that Louis recently
> went down a similar path and might be able to help.
>
> I have a Unifi wireless controller that I want to offer RADIUS
> authentication. The controller points to the latest version of FreeRadius.
> Finally, this uses a Samba 4 instance, with integrated LDAP as my PDC. All
> are running Ubuntu 18.04.
>
> I started from scratch and followed this:
>
>
https://blog.stevedong.com/post/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10/
> .
> The following pass:
>
> - wbinfo -a <user>%<password>
> - ntlm_auth --request-nt-key --domain=TESTING --username=<user>
> --password=<password>"
> - radtest <domain_accout> <password> localhost 0 testing123
>
> The following fail:
>
> - radtest -t mschap <user> <password> localhost 0
testing123
>
> Running this gives me "bad username/password" on freeradius. I
can see
> something similar in the samba logs. My assumption is there's something
up
> with this line: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=TESTING --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}".
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>