Matthias Kühne | Ellerhold Aktiengesellschaft
2023-Apr-06 07:44 UTC
[Samba] Fwd: ntlm_auth and freeradius
Hello Tim, Hello samba-people, is there an uptodate guide for authenticating via freeradius somewhere? I have some Ubiquiti APs plus a Cloud Key and I want to authenticate WLAN clients via WPA2-Enterprise instead of a (shared) PSK. It seems like https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory is missing some steps (basic setup of freeradius). Can you write up some of your findings please? Thanks and happy holidays, Matthias. Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba:> Dear All, > > Well, this is very embarrassing.... > > It seems that running 'smbcontrol all reload-config' isn't sufficient for reloading the ntlm config parameters. > > I tried restarting the whole samba service on the DC my FR box was authenticating against (systemctl restart sernet-samba-ad) and my test laptop is now connected to the network on the correct VLAN. > > I apologise for wasting everyone's time - now I'll get back to cleaning up all the config files and making sure BYOD still works etc. > > Thank you, > > Tim-- Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Web: www.ellerhold.de Facebook: www.facebook.com/ellerhold.gruppe Instagram: www.instagram.com/ellerhold.gruppe Twitter: https://twitter.com/EllerholdGruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
I can share my notes, we authenticate UniFi clients via Freeradius against Samba
AD. We also check group membership which you might or might not need:
## 4 FreeRADIUS
### 4.1 Basics
```bash
apt install freeradius freeradius-ldap freeradius-utils
# create new DH-params
openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048
```
### 4.2 Configure Authentication
- modify mschap to use winbind, uncomment the following lines
```
# /etc/freeradius/3.0/mods-available/mschap
require_encryption = yes
require_strong = yes
winbind_username = "%{mschap:User-Name}"
winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}"
winbind_retry_with_normalised_username = yes
```
- add to global section in samba conf
```
# /etc/samba/smb.conf
ntlm auth = mschapv2-and-ntlmv2-only
```
- fix perms and restart
```bash
usermod -a -G winbindd_priv freerad
service freeradius restart
service samba-ad-dc restart
```
### 4.3 Configure LDAP (group information)
- enable ldap
```bash
cd /etc/freeradius/3.0/mods-enabled
ln -s ../mods-available/ldap ldap
chown -h freerad:freerad ldap
```
- modify module ldap to retrieve group information
```
# /etc/freeradius/3.0/mods-available/ldap
server = '10.0.1.250'
server = '10.0.1.251'
identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com'
password = ***
base_dn = 'cn=users,dc=ds,dc=example,dc=com'
user: filter =
"(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))"
group: filter = "(objectClasse=group)"
group: membership_filter =
"(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
start_tls = yes
ca_file = /etc/ssl/certs/ca-certificates.crt
```
### 4.4 Configure EAP
- add root.ca and services.ca to certificate store
```bash
cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/
cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/
update-ca-certificates
```
- add radius cert and key
```bash
cp /home/dcadmin/service.radius.key /etc/freeradius/3.0/certs/service.radius.key
cp /home/dcadmin/service.radius.crt /etc/freeradius/3.0/certs/service.radius.crt
chmod 640 /etc/freeradius/3.0/certs/service.radius.*
chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.*
```
- configure eap module to use peap per default
```
# /etc/freeradius/3.0/mods-available/eap
default_eap_type = peap
#private_key_password = whatever
private_key_file = ${certdir}/service.radius.key
certificate_file = ${certdir}/service.radius.crt
tls_min_version = "1.2"
cache: enable = yes
cache: name = ?<somename>.radius"
cache: persist_dir = "${logdir}/tlscache"
peap: copy_request_to_tunnel = yes
```
### 4.5 Configure Clients
- add client for UniFi
```
# /etc/freeradius/3.0/clients.conf
client unifi {
ipaddr = 10.0.1.0/24
secret = ***
}
```
### 4.6 Configure Authorization
- devices/user via EAP
```
# /etc/freeradius/3.0/sites-enabled/inner-tunnel
post-auth {
if (!(Ldap-Group == ?SOMEGROUP")) {
reject
}
```
### 4.7 Finish
```bash
service freeradius restart
```
> On Thursday, Apr 06, 2023 at 9:46 AM, Matthias K?hne | Ellerhold
Aktiengesellschaft via samba <samba at lists.samba.org (mailto:samba at
lists.samba.org)> wrote:
> Hello Tim, Hello samba-people,
>
> is there an uptodate guide for authenticating via freeradius somewhere?
>
> I have some Ubiquiti APs plus a Cloud Key and I want to authenticate
> WLAN clients via WPA2-Enterprise instead of a (shared) PSK.
>
> It seems like
>
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
> is missing some steps (basic setup of freeradius).
>
> Can you write up some of your findings please?
>
> Thanks and happy holidays,
> Matthias.
>
> Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba:
> > Dear All,
> >
> > Well, this is very embarrassing....
> >
> > It seems that running 'smbcontrol all reload-config' isn't
sufficient for reloading the ntlm config parameters.
> >
> > I tried restarting the whole samba service on the DC my FR box was
authenticating against (systemctl restart sernet-samba-ad) and my test laptop is
now connected to the network on the correct VLAN.
> >
> > I apologise for wasting everyone's time - now I'll get back to
cleaning up all the config files and making sure BYOD still works etc.
> >
> > Thank you,
> >
> > Tim
>
> --
> Senior Webentwickler
> Datenschutzbeauftragter
>
> Ellerhold Aktiengesellschaft
> Friedrich-List-Str. 4
> 01445 Radebeul
>
> Telefon: +49 (0) 351 83933-61
> Web: www.ellerhold.de
> Facebook: www.facebook.com/ellerhold.gruppe
> Instagram: www.instagram.com/ellerhold.gruppe
> Twitter: https://twitter.com/EllerholdGruppe
>
> Amtsgericht Dresden / HRB 23769
> Vorstand: Stephan Ellerhold, Maximilian Ellerhold
> Vorsitzender des Aufsichtsrates: Frank Ellerhold
>
>
>
> ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen.
Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um
Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen.
>
> Unsere Hinweise zum Datenschutz finden Sie hier:
http://www.ellerhold.de/datenschutz/
>
> This e-mail and its attachments are privileged and confidential. If you are
not the intended recipient, please notify us and immediately delete this e-mail
and its attachments.
>
> You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Hi Matthias,> Can you write up some of your findings please?I've not got my setup exactly as I want it yet. Once it's ready and I can document it, I will make it available. I also used the guide from freeradius, as well as many other snippets I found. Now I have to remove them all to see which ones are superfluous.. https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto Tim