Matthias Kühne | Ellerhold Aktiengesellschaft
2023-Apr-12 10:20 UTC
[Samba] Fwd: ntlm_auth and freeradius
Hello Alexander, thanks Alexander for these configuration snippets. Which version of Samba are you using? Is this on debian bullseye? Is the FreeRADIUS server installed on a DC or on a Domain Member? (I just tested the latter). is "ntlm auth = yes" OK for the DCs and the domain member or does it have to be "mschapv2-and-ntlmv2-only" for all servers (DCs + Member)? It looks like "yes" is broader and it should work? Sadly we need "yes" for other applications... Im sad to say that I cant get it to work. Neither "radtest" nor my Ubiquity APs... I always get (3) mschap: ERROR: When trying to update a password, this return status indicates that the value provided as the current password is not correct. [0xC000006A] (3) mschap: ERROR: MS-CHAP2-Response is incorrect Similar error while using "ntlm_auth" instead of the direct winbind connections. Using ntlm_auth with --username and --password works. Using ntlm_auth with --challenge results in the same error message above. Any help would be much appreciated, otherwise we're going to switch to SQL or file based auth (with cleartext password *shudder*). Thanks and have a nice day, Matthias. Am 06.04.23 um 09:56 schrieb Alexander Harm || ApfelQ via samba:> I can share my notes, we authenticate UniFi clients via Freeradius against Samba AD. We also check group membership which you might or might not need: > > ## 4 FreeRADIUS > > ### 4.1 Basics > > ```bash > apt install freeradius freeradius-ldap freeradius-utils > > # create new DH-params > openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048 > ``` > > ### 4.2 Configure Authentication > > - modify mschap to use winbind, uncomment the following lines > > ``` > # /etc/freeradius/3.0/mods-available/mschap > require_encryption = yes > require_strong = yes > winbind_username = "%{mschap:User-Name}" > winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}" > winbind_retry_with_normalised_username = yes > ``` > > - add to global section in samba conf > > ``` > # /etc/samba/smb.conf > ntlm auth = mschapv2-and-ntlmv2-only > ``` > > - fix perms and restart > > ```bash > usermod -a -G winbindd_priv freerad > service freeradius restart > service samba-ad-dc restart > ``` > > ### 4.3 Configure LDAP (group information) > > - enable ldap > > ```bash > cd /etc/freeradius/3.0/mods-enabled > ln -s ../mods-available/ldap ldap > chown -h freerad:freerad ldap > ``` > > - modify module ldap to retrieve group information > > ``` > # /etc/freeradius/3.0/mods-available/ldap > server = '10.0.1.250' > server = '10.0.1.251' > identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com' > password = *** > base_dn = 'cn=users,dc=ds,dc=example,dc=com' > user: filter = "(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))" > group: filter = "(objectClasse=group)" > group: membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})" > start_tls = yes > ca_file = /etc/ssl/certs/ca-certificates.crt > ``` > > ### 4.4 Configure EAP > > - add root.ca and services.ca to certificate store > > ```bash > cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/ > cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/ > update-ca-certificates > ``` > > - add radius cert and key > > ```bash > cp /home/dcadmin/service.radius.key /etc/freeradius/3.0/certs/service.radius.key > cp /home/dcadmin/service.radius.crt /etc/freeradius/3.0/certs/service.radius.crt > > chmod 640 /etc/freeradius/3.0/certs/service.radius.* > chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.* > ``` > > - configure eap module to use peap per default > > ``` > # /etc/freeradius/3.0/mods-available/eap > default_eap_type = peap > > #private_key_password = whatever > private_key_file = ${certdir}/service.radius.key > certificate_file = ${certdir}/service.radius.crt > > tls_min_version = "1.2" > > cache: enable = yes > cache: name = ?<somename>.radius" > cache: persist_dir = "${logdir}/tlscache" > > peap: copy_request_to_tunnel = yes > ``` > > ### 4.5 Configure Clients > > - add client for UniFi > > ``` > # /etc/freeradius/3.0/clients.conf > client unifi { > ipaddr = 10.0.1.0/24 > secret = *** > } > ``` > > ### 4.6 Configure Authorization > > - devices/user via EAP > > ``` > # /etc/freeradius/3.0/sites-enabled/inner-tunnel > post-auth { > if (!(Ldap-Group == ?SOMEGROUP")) { > reject > } > ``` > > ### 4.7 Finish > > ```bash > service freeradius restart > ``` > >> On Thursday, Apr 06, 2023 at 9:46 AM, Matthias K?hne | Ellerhold Aktiengesellschaft via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote: >> Hello Tim, Hello samba-people, >> >> is there an uptodate guide for authenticating via freeradius somewhere? >> >> I have some Ubiquiti APs plus a Cloud Key and I want to authenticate >> WLAN clients via WPA2-Enterprise instead of a (shared) PSK. >> >> It seems like >> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory >> is missing some steps (basic setup of freeradius). >> >> Can you write up some of your findings please? >> >> Thanks and happy holidays, >> Matthias. >> >> Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba: >>> Dear All, >>> >>> Well, this is very embarrassing.... >>> >>> It seems that running 'smbcontrol all reload-config' isn't sufficient for reloading the ntlm config parameters. >>> >>> I tried restarting the whole samba service on the DC my FR box was authenticating against (systemctl restart sernet-samba-ad) and my test laptop is now connected to the network on the correct VLAN. >>> >>> I apologise for wasting everyone's time - now I'll get back to cleaning up all the config files and making sure BYOD still works etc. >>> >>> Thank you, >>> >>> Tim >> -- >> Senior Webentwickler >> Datenschutzbeauftragter >> >> Ellerhold Aktiengesellschaft >> Friedrich-List-Str. 4 >> 01445 Radebeul >> >> Telefon: +49 (0) 351 83933-61 >> Web: www.ellerhold.de >> Facebook: www.facebook.com/ellerhold.gruppe >> Instagram: www.instagram.com/ellerhold.gruppe >> Twitter: https://twitter.com/EllerholdGruppe >> >> Amtsgericht Dresden / HRB 23769 >> Vorstand: Stephan Ellerhold, Maximilian Ellerhold >> Vorsitzender des Aufsichtsrates: Frank Ellerhold >> >> >> >> ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. >> >> Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ >> >> This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. >> >> You can find our privacy policy here: http://www.ellerhold.de/datenschutz/ >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba-- Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Web: www.ellerhold.de Facebook: www.facebook.com/ellerhold.gruppe Instagram: www.instagram.com/ellerhold.gruppe Twitter: https://twitter.com/EllerholdGruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
Hi Matthias, we?re using Debian Bullseye with the backports repo. So version is a mixture of - Samba version 4.17.3-Debian - Samba version 4.17.7-Debian We?ve installed it directly on the DC?s as well. In my opinion using "ntlm auth = yes? should be fine. Did you try using a simple RADIUS secret? In my experience long secrets or ones containing special characters don?t work very well. I would use alphanumerical only and no longer than 16 chars. We successfully use it to authenticate UniFi clients and IKEv2 roadwarriors (using OPNsense). I believe you set lanman auth = yes as well, right? Does Samba give you anything in the logs? That way you might be able to narrow it down? Alexander> On Wednesday, Apr 12, 2023 at 12:21 PM, Matthias K?hne | Ellerhold Aktiengesellschaft via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote: > Hello Alexander, > > thanks Alexander for these configuration snippets. > > Which version of Samba are you using? Is this on debian bullseye? Is the > FreeRADIUS server installed on a DC or on a Domain Member? (I just > tested the latter). > > is "ntlm auth = yes" OK for the DCs and the domain member or does it > have to be "mschapv2-and-ntlmv2-only" for all servers (DCs + Member)? It > looks like "yes" is broader and it should work? Sadly we need "yes" for > other applications... > > Im sad to say that I cant get it to work. Neither "radtest" nor my > Ubiquity APs... > > I always get > > (3) mschap: ERROR: When trying to update a password, this return status > indicates that the value provided as the current password is not > correct. [0xC000006A] > (3) mschap: ERROR: MS-CHAP2-Response is incorrect > > Similar error while using "ntlm_auth" instead of the direct winbind > connections. > > Using ntlm_auth with --username and --password works. Using ntlm_auth > with --challenge results in the same error message above. > > Any help would be much appreciated, otherwise we're going to switch to > SQL or file based auth (with cleartext password *shudder*). > > Thanks and have a nice day, Matthias. > > Am 06.04.23 um 09:56 schrieb Alexander Harm || ApfelQ via samba: > > I can share my notes, we authenticate UniFi clients via Freeradius against Samba AD. We also check group membership which you might or might not need: > > > > ## 4 FreeRADIUS > > > > ### 4.1 Basics > > > > ```bash > > apt install freeradius freeradius-ldap freeradius-utils > > > > # create new DH-params > > openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048 > > ``` > > > > ### 4.2 Configure Authentication > > > > - modify mschap to use winbind, uncomment the following lines > > > > ``` > > # /etc/freeradius/3.0/mods-available/mschap > > require_encryption = yes > > require_strong = yes > > winbind_username = "%{mschap:User-Name}" > > winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}" > > winbind_retry_with_normalised_username = yes > > ``` > > > > - add to global section in samba conf > > > > ``` > > # /etc/samba/smb.conf > > ntlm auth = mschapv2-and-ntlmv2-only > > ``` > > > > - fix perms and restart > > > > ```bash > > usermod -a -G winbindd_priv freerad > > service freeradius restart > > service samba-ad-dc restart > > ``` > > > > ### 4.3 Configure LDAP (group information) > > > > - enable ldap > > > > ```bash > > cd /etc/freeradius/3.0/mods-enabled > > ln -s ../mods-available/ldap ldap > > chown -h freerad:freerad ldap > > ``` > > > > - modify module ldap to retrieve group information > > > > ``` > > # /etc/freeradius/3.0/mods-available/ldap > > server = '10.0.1.250' > > server = '10.0.1.251' > > identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com' > > password = *** > > base_dn = 'cn=users,dc=ds,dc=example,dc=com' > > user: filter = "(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))" > > group: filter = "(objectClasse=group)" > > group: membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})" > > start_tls = yes > > ca_file = /etc/ssl/certs/ca-certificates.crt > > ``` > > > > ### 4.4 Configure EAP > > > > - add root.ca and services.ca to certificate store > > > > ```bash > > cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/ > > cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/ > > update-ca-certificates > > ``` > > > > - add radius cert and key > > > > ```bash > > cp /home/dcadmin/service.radius.key /etc/freeradius/3.0/certs/service.radius.key > > cp /home/dcadmin/service.radius.crt /etc/freeradius/3.0/certs/service.radius.crt > > > > chmod 640 /etc/freeradius/3.0/certs/service.radius.* > > chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.* > > ``` > > > > - configure eap module to use peap per default > > > > ``` > > # /etc/freeradius/3.0/mods-available/eap > > default_eap_type = peap > > > > #private_key_password = whatever > > private_key_file = ${certdir}/service.radius.key > > certificate_file = ${certdir}/service.radius.crt > > > > tls_min_version = "1.2" > > > > cache: enable = yes > > cache: name = ?<somename>.radius" > > cache: persist_dir = "${logdir}/tlscache" > > > > peap: copy_request_to_tunnel = yes > > ``` > > > > ### 4.5 Configure Clients > > > > - add client for UniFi > > > > ``` > > # /etc/freeradius/3.0/clients.conf > > client unifi { > > ipaddr = 10.0.1.0/24 > > secret = *** > > } > > ``` > > > > ### 4.6 Configure Authorization > > > > - devices/user via EAP > > > > ``` > > # /etc/freeradius/3.0/sites-enabled/inner-tunnel > > post-auth { > > if (!(Ldap-Group == ?SOMEGROUP")) { > > reject > > } > > ``` > > > > ### 4.7 Finish > > > > ```bash > > service freeradius restart > > ``` > > > > > On Thursday, Apr 06, 2023 at 9:46 AM, Matthias K?hne | Ellerhold Aktiengesellschaft via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote: > > > Hello Tim, Hello samba-people, > > > > > > is there an uptodate guide for authenticating via freeradius somewhere? > > > > > > I have some Ubiquiti APs plus a Cloud Key and I want to authenticate > > > WLAN clients via WPA2-Enterprise instead of a (shared) PSK. > > > > > > It seems like > > > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory > > > is missing some steps (basic setup of freeradius). > > > > > > Can you write up some of your findings please? > > > > > > Thanks and happy holidays, > > > Matthias. > > > > > > Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba: > > > > Dear All, > > > > > > > > Well, this is very embarrassing.... > > > > > > > > It seems that running 'smbcontrol all reload-config' isn't sufficient for reloading the ntlm config parameters. > > > > > > > > I tried restarting the whole samba service on the DC my FR box was authenticating against (systemctl restart sernet-samba-ad) and my test laptop is now connected to the network on the correct VLAN. > > > > > > > > I apologise for wasting everyone's time - now I'll get back to cleaning up all the config files and making sure BYOD still works etc. > > > > > > > > Thank you, > > > > > > > > Tim > > > -- > > > Senior Webentwickler > > > Datenschutzbeauftragter > > > > > > Ellerhold Aktiengesellschaft > > > Friedrich-List-Str. 4 > > > 01445 Radebeul > > > > > > Telefon: +49 (0) 351 83933-61 > > > Web: www.ellerhold.de > > > Facebook: www.facebook.com/ellerhold.gruppe > > > Instagram: www.instagram.com/ellerhold.gruppe > > > Twitter: https://twitter.com/EllerholdGruppe > > > > > > Amtsgericht Dresden / HRB 23769 > > > Vorstand: Stephan Ellerhold, Maximilian Ellerhold > > > Vorsitzender des Aufsichtsrates: Frank Ellerhold > > > > > > > > > > > > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. > > > > > > Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ > > > > > > This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. > > > > > > You can find our privacy policy here: http://www.ellerhold.de/datenschutz/ > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > -- > Senior Webentwickler > Datenschutzbeauftragter > > Ellerhold Aktiengesellschaft > Friedrich-List-Str. 4 > 01445 Radebeul > > Telefon: +49 (0) 351 83933-61 > Web: www.ellerhold.de > Facebook: www.facebook.com/ellerhold.gruppe > Instagram: www.instagram.com/ellerhold.gruppe > Twitter: https://twitter.com/EllerholdGruppe > > Amtsgericht Dresden / HRB 23769 > Vorstand: Stephan Ellerhold, Maximilian Ellerhold > Vorsitzender des Aufsichtsrates: Frank Ellerhold > > > > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. > > Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ > > This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. > > You can find our privacy policy here: http://www.ellerhold.de/datenschutz/ > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba