Matthias Kühne | Ellerhold Aktiengesellschaft
2023-Apr-12 11:27 UTC
[Samba] Fwd: ntlm_auth and freeradius
Hi Alexander, I'm terribly sorry. We didnt have the "ntlm auth" parameter configured on the DCs at all. I added it and it just works. Thanks for your help. Now I just need to figure out how I can make WLAN-specific LDAP-Group authentication. e. g. production WLAN needs LDAP group "wlan_production" and management WLAN needs the "wlan_management" group. I guess post_auth may be the correct place for that. You've helped tremendously, thanks again! Am 12.04.23 um 13:20 schrieb Alexander Harm || ApfelQ:> Hi Matthias, > > we?re using Debian Bullseye with the backports repo. So version is a > mixture of > > -?Samba version 4.17.3-Debian > -?Samba version 4.17.7-Debian > > We?ve installed it directly on the DC?s as well. > > In my opinion using ?"ntlm auth = yes? should be fine. > > Did you try using a simple RADIUS secret? In my experience long > secrets or ones containing special characters ?don?t work very well. I > would use alphanumerical only and no longer than 16 chars. > > We successfully use it to authenticate UniFi clients and IKEv2 > roadwarriors (using OPNsense). > > I believe you set > > lanman auth = yes > > as well, right? > > Does Samba give you anything in the logs? That way you might be able > to narrow it down? > > Alexander > > On Wednesday, Apr 12, 2023 at 12:21 PM, Matthias K?hne | Ellerhold > Aktiengesellschaft via samba <samba at lists.samba.org> wrote: > Hello Alexander, > > thanks Alexander for these configuration snippets. > > Which version of Samba are you using? Is this on debian bullseye? > Is the > FreeRADIUS server installed on a DC or on a Domain Member? (I just > tested the latter). > > is "ntlm auth = yes" OK for the DCs and the domain member or does it > have to be "mschapv2-and-ntlmv2-only" for all servers (DCs + > Member)? It > looks like "yes" is broader and it should work? Sadly we need > "yes" for > other applications... > > Im sad to say that I cant get it to work. Neither "radtest" nor my > Ubiquity APs... > > I always get > > (3) mschap: ERROR: When trying to update a password, this return > status > indicates that the value provided as the current password is not > correct. [0xC000006A] > (3) mschap: ERROR: MS-CHAP2-Response is incorrect > > Similar error while using "ntlm_auth" instead of the direct winbind > connections. > > Using ntlm_auth with --username and --password works. Using ntlm_auth > with --challenge results in the same error message above. > > Any help would be much appreciated, otherwise we're going to > switch to > SQL or file based auth (with cleartext password *shudder*). > > Thanks and have a nice day, Matthias. > > Am 06.04.23 um 09:56 schrieb Alexander Harm || ApfelQ via samba: >> I can share my notes, we authenticate UniFi clients via >> Freeradius against Samba AD. We also check group membership which >> you might or might not need: >> >> ## 4 FreeRADIUS >> >> ### 4.1 Basics >> >> ```bash >> apt install freeradius freeradius-ldap freeradius-utils >> >> # create new DH-params >> openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048 >> ``` >> >> ### 4.2 Configure Authentication >> >> - modify mschap to use winbind, uncomment the following lines >> >> ``` >> # /etc/freeradius/3.0/mods-available/mschap >> require_encryption = yes >> require_strong = yes >> winbind_username = "%{mschap:User-Name}" >> winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}" >> winbind_retry_with_normalised_username = yes >> ``` >> >> - add to global section in samba conf >> >> ``` >> # /etc/samba/smb.conf >> ntlm auth = mschapv2-and-ntlmv2-only >> ``` >> >> - fix perms and restart >> >> ```bash >> usermod -a -G winbindd_priv freerad >> service freeradius restart >> service samba-ad-dc restart >> ``` >> >> ### 4.3 Configure LDAP (group information) >> >> - enable ldap >> >> ```bash >> cd /etc/freeradius/3.0/mods-enabled >> ln -s ../mods-available/ldap ldap >> chown -h freerad:freerad ldap >> ``` >> >> - modify module ldap to retrieve group information >> >> ``` >> # /etc/freeradius/3.0/mods-available/ldap >> server = '10.0.1.250' >> server = '10.0.1.251' >> identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com' >> password = *** >> base_dn = 'cn=users,dc=ds,dc=example,dc=com' >> user: filter >> "(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))" >> group: filter = "(objectClasse=group)" >> group: membership_filter >> "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})" >> start_tls = yes >> ca_file = /etc/ssl/certs/ca-certificates.crt >> ``` >> >> ### 4.4 Configure EAP >> >> - add root.ca and services.ca to certificate store >> >> ```bash >> cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/ >> cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/ >> update-ca-certificates >> ``` >> >> - add radius cert and key >> >> ```bash >> cp /home/dcadmin/service.radius.key >> /etc/freeradius/3.0/certs/service.radius.key >> cp /home/dcadmin/service.radius.crt >> /etc/freeradius/3.0/certs/service.radius.crt >> >> chmod 640 /etc/freeradius/3.0/certs/service.radius.* >> chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.* >> ``` >> >> - configure eap module to use peap per default >> >> ``` >> # /etc/freeradius/3.0/mods-available/eap >> default_eap_type = peap >> >> #private_key_password = whatever >> private_key_file = ${certdir}/service.radius.key >> certificate_file = ${certdir}/service.radius.crt >> >> tls_min_version = "1.2" >> >> cache: enable = yes >> cache: name = ?<somename>.radius" >> cache: persist_dir = "${logdir}/tlscache" >> >> peap: copy_request_to_tunnel = yes >> ``` >> >> ### 4.5 Configure Clients >> >> - add client for UniFi >> >> ``` >> # /etc/freeradius/3.0/clients.conf >> client unifi { >> ipaddr = 10.0.1.0/24 >> secret = *** >> } >> ``` >> >> ### 4.6 Configure Authorization >> >> - devices/user via EAP >> >> ``` >> # /etc/freeradius/3.0/sites-enabled/inner-tunnel >> post-auth { >> if (!(Ldap-Group == ?SOMEGROUP")) { >> reject >> } >> ``` >> >> ### 4.7 Finish >> >> ```bash >> service freeradius restart >> ``` >> >>> On Thursday, Apr 06, 2023 at 9:46 AM, Matthias K?hne | Ellerhold >>> Aktiengesellschaft via samba <samba at lists.samba.org >>> (mailto:samba at lists.samba.org)> wrote: >>> Hello Tim, Hello samba-people, >>> >>> is there an uptodate guide for authenticating via freeradius >>> somewhere? >>> >>> I have some Ubiquiti APs plus a Cloud Key and I want to authenticate >>> WLAN clients via WPA2-Enterprise instead of a (shared) PSK. >>> >>> It seems like >>> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory >>> is missing some steps (basic setup of freeradius). >>> >>> Can you write up some of your findings please? >>> >>> Thanks and happy holidays, >>> Matthias. >>> >>> Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba: >>>> Dear All, >>>> >>>> Well, this is very embarrassing.... >>>> >>>> It seems that running 'smbcontrol all reload-config' isn't >>>> sufficient for reloading the ntlm config parameters. >>>> >>>> I tried restarting the whole samba service on the DC my FR box >>>> was authenticating against (systemctl restart sernet-samba-ad) >>>> and my test laptop is now connected to the network on the >>>> correct VLAN. >>>> >>>> I apologise for wasting everyone's time - now I'll get back to >>>> cleaning up all the config files and making sure BYOD still >>>> works etc. >>>> >>>> Thank you, >>>> >>>> Tim >>> -- >>> Senior Webentwickler >>> Datenschutzbeauftragter >>> >>> Ellerhold Aktiengesellschaft >>> Friedrich-List-Str. 4 >>> 01445 Radebeul >>> >>> Telefon: +49 (0) 351 83933-61 >>> Web: www.ellerhold.de >>> Facebook: www.facebook.com/ellerhold.gruppe >>> Instagram: www.instagram.com/ellerhold.gruppe >>> Twitter: https://twitter.com/EllerholdGruppe >>> >>> Amtsgericht Dresden / HRB 23769 >>> Vorstand: Stephan Ellerhold, Maximilian Ellerhold >>> Vorsitzender des Aufsichtsrates: Frank Ellerhold >>> >>> >>> >>> ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche >>> Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, >>> so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser >>> E-Mail und der Anlagen. >>> >>> Unsere Hinweise zum Datenschutz finden Sie hier: >>> http://www.ellerhold.de/datenschutz/ >>> >>> This e-mail and its attachments are privileged and confidential. >>> If you are not the intended recipient, please notify us and >>> immediately delete this e-mail and its attachments. >>> >>> You can find our privacy policy here: >>> http://www.ellerhold.de/datenschutz/ >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba > > -- > Senior Webentwickler > Datenschutzbeauftragter > > Ellerhold Aktiengesellschaft > Friedrich-List-Str. 4 > 01445 Radebeul > > Telefon: +49 (0) 351 83933-61 > Web: www.ellerhold.de > Facebook: www.facebook.com/ellerhold.gruppe > Instagram: www.instagram.com/ellerhold.gruppe > Twitter: https://twitter.com/EllerholdGruppe > > Amtsgericht Dresden / HRB 23769 > Vorstand: Stephan Ellerhold, Maximilian Ellerhold > Vorsitzender des Aufsichtsrates: Frank Ellerhold > > > > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche > Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, > so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser > E-Mail und der Anlagen. > > Unsere Hinweise zum Datenschutz finden Sie hier: > http://www.ellerhold.de/datenschutz/ > > This e-mail and its attachments are privileged and confidential. > If you are not the intended recipient, please notify us and > immediately delete this e-mail and its attachments. > > You can find our privacy policy here: > http://www.ellerhold.de/datenschutz/ > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Web:www.ellerhold.de Facebook:www.facebook.com/ellerhold.gruppe Instagram:www.instagram.com/ellerhold.gruppe Twitter:https://twitter.com/EllerholdGruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
On 12-04-2023 13:27, Matthias K?hne | Ellerhold Aktiengesellschaft via samba wrote:> Hi Alexander, > > I'm terribly sorry. We didnt have the "ntlm auth" parameter configured > on the DCs at all. I added it and it just works.It is better to set it to: ntlm auth = mschapv2-and-ntlmv2-only> > Thanks for your help. > > Now I just need to figure out how I can make WLAN-specific LDAP-Group > authentication. > > e. g. production WLAN needs LDAP group "wlan_production" and management > WLAN needs the "wlan_management" group. > > I guess post_auth may be the correct place for that. > > You've helped tremendously, thanks again! > > Am 12.04.23 um 13:20 schrieb Alexander Harm || ApfelQ: >> Hi Matthias, >> >> we?re using Debian Bullseye with the backports repo. So version is a >> mixture of >> >> -?Samba version 4.17.3-Debian >> -?Samba version 4.17.7-Debian >> >> We?ve installed it directly on the DC?s as well. >> >> In my opinion using ?"ntlm auth = yes? should be fine. >> >> Did you try using a simple RADIUS secret? In my experience long >> secrets or ones containing special characters ?don?t work very well. I >> would use alphanumerical only and no longer than 16 chars. >> >> We successfully use it to authenticate UniFi clients and IKEv2 >> roadwarriors (using OPNsense). >> >> I believe you set >> >> lanman auth = yes >> >> as well, right? >> >> Does Samba give you anything in the logs? That way you might be able >> to narrow it down? >> >> Alexander >> >> On Wednesday, Apr 12, 2023 at 12:21 PM, Matthias K?hne | Ellerhold >> Aktiengesellschaft via samba <samba at lists.samba.org> wrote: >> Hello Alexander, >> >> thanks Alexander for these configuration snippets. >> >> Which version of Samba are you using? Is this on debian bullseye? >> Is the >> FreeRADIUS server installed on a DC or on a Domain Member? (I just >> tested the latter). >> >> is "ntlm auth = yes" OK for the DCs and the domain member or does it >> have to be "mschapv2-and-ntlmv2-only" for all servers (DCs + >> Member)? It >> looks like "yes" is broader and it should work? Sadly we need >> "yes" for >> other applications... >> >> Im sad to say that I cant get it to work. Neither "radtest" nor my >> Ubiquity APs... >> >> I always get >> >> (3) mschap: ERROR: When trying to update a password, this return >> status >> indicates that the value provided as the current password is not >> correct. [0xC000006A] >> (3) mschap: ERROR: MS-CHAP2-Response is incorrect >> >> Similar error while using "ntlm_auth" instead of the direct winbind >> connections. >> >> Using ntlm_auth with --username and --password works. Using ntlm_auth >> with --challenge results in the same error message above. >> >> Any help would be much appreciated, otherwise we're going to >> switch to >> SQL or file based auth (with cleartext password *shudder*). >> >> Thanks and have a nice day, Matthias. >> >> Am 06.04.23 um 09:56 schrieb Alexander Harm || ApfelQ via samba: >>> I can share my notes, we authenticate UniFi clients via >>> Freeradius against Samba AD. We also check group membership which >>> you might or might not need: >>> >>> ## 4 FreeRADIUS >>> >>> ### 4.1 Basics >>> >>> ```bash >>> apt install freeradius freeradius-ldap freeradius-utils >>> >>> # create new DH-params >>> openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048 >>> ``` >>> >>> ### 4.2 Configure Authentication >>> >>> - modify mschap to use winbind, uncomment the following lines >>> >>> ``` >>> # /etc/freeradius/3.0/mods-available/mschap >>> require_encryption = yes >>> require_strong = yes >>> winbind_username = "%{mschap:User-Name}" >>> winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}" >>> winbind_retry_with_normalised_username = yes >>> ``` >>> >>> - add to global section in samba conf >>> >>> ``` >>> # /etc/samba/smb.conf >>> ntlm auth = mschapv2-and-ntlmv2-only >>> ``` >>> >>> - fix perms and restart >>> >>> ```bash >>> usermod -a -G winbindd_priv freerad >>> service freeradius restart >>> service samba-ad-dc restart >>> ``` >>> >>> ### 4.3 Configure LDAP (group information) >>> >>> - enable ldap >>> >>> ```bash >>> cd /etc/freeradius/3.0/mods-enabled >>> ln -s ../mods-available/ldap ldap >>> chown -h freerad:freerad ldap >>> ``` >>> >>> - modify module ldap to retrieve group information >>> >>> ``` >>> # /etc/freeradius/3.0/mods-available/ldap >>> server = '10.0.1.250' >>> server = '10.0.1.251' >>> identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com' >>> password = *** >>> base_dn = 'cn=users,dc=ds,dc=example,dc=com' >>> user: filter >>> "(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))" >>> group: filter = "(objectClasse=group)" >>> group: membership_filter >>> "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})" >>> start_tls = yes >>> ca_file = /etc/ssl/certs/ca-certificates.crt >>> ``` >>> >>> ### 4.4 Configure EAP >>> >>> - add root.ca and services.ca to certificate store >>> >>> ```bash >>> cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/ >>> cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/ >>> update-ca-certificates >>> ``` >>> >>> - add radius cert and key >>> >>> ```bash >>> cp /home/dcadmin/service.radius.key >>> /etc/freeradius/3.0/certs/service.radius.key >>> cp /home/dcadmin/service.radius.crt >>> /etc/freeradius/3.0/certs/service.radius.crt >>> >>> chmod 640 /etc/freeradius/3.0/certs/service.radius.* >>> chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.* >>> ``` >>> >>> - configure eap module to use peap per default >>> >>> ``` >>> # /etc/freeradius/3.0/mods-available/eap >>> default_eap_type = peap >>> >>> #private_key_password = whatever >>> private_key_file = ${certdir}/service.radius.key >>> certificate_file = ${certdir}/service.radius.crt >>> >>> tls_min_version = "1.2" >>> >>> cache: enable = yes >>> cache: name = ?<somename>.radius" >>> cache: persist_dir = "${logdir}/tlscache" >>> >>> peap: copy_request_to_tunnel = yes >>> ``` >>> >>> ### 4.5 Configure Clients >>> >>> - add client for UniFi >>> >>> ``` >>> # /etc/freeradius/3.0/clients.conf >>> client unifi { >>> ipaddr = 10.0.1.0/24 >>> secret = *** >>> } >>> ``` >>> >>> ### 4.6 Configure Authorization >>> >>> - devices/user via EAP >>> >>> ``` >>> # /etc/freeradius/3.0/sites-enabled/inner-tunnel >>> post-auth { >>> if (!(Ldap-Group == ?SOMEGROUP")) { >>> reject >>> } >>> ``` >>> >>> ### 4.7 Finish >>> >>> ```bash >>> service freeradius restart >>> ``` >>> >>>> On Thursday, Apr 06, 2023 at 9:46 AM, Matthias K?hne | Ellerhold >>>> Aktiengesellschaft via samba <samba at lists.samba.org >>>> (mailto:samba at lists.samba.org)> wrote: >>>> Hello Tim, Hello samba-people, >>>> >>>> is there an uptodate guide for authenticating via freeradius >>>> somewhere? >>>> >>>> I have some Ubiquiti APs plus a Cloud Key and I want to authenticate >>>> WLAN clients via WPA2-Enterprise instead of a (shared) PSK. >>>> >>>> It seems like >>>> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory >>>> is missing some steps (basic setup of freeradius). >>>> >>>> Can you write up some of your findings please? >>>> >>>> Thanks and happy holidays, >>>> Matthias. >>>> >>>> Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba: >>>>> Dear All, >>>>> >>>>> Well, this is very embarrassing.... >>>>> >>>>> It seems that running 'smbcontrol all reload-config' isn't >>>>> sufficient for reloading the ntlm config parameters. >>>>> >>>>> I tried restarting the whole samba service on the DC my FR box >>>>> was authenticating against (systemctl restart sernet-samba-ad) >>>>> and my test laptop is now connected to the network on the >>>>> correct VLAN. >>>>> >>>>> I apologise for wasting everyone's time - now I'll get back to >>>>> cleaning up all the config files and making sure BYOD still >>>>> works etc. >>>>> >>>>> Thank you, >>>>> >>>>> Tim >>>> -- >>>> Senior Webentwickler >>>> Datenschutzbeauftragter >>>> >>>> Ellerhold Aktiengesellschaft >>>> Friedrich-List-Str. 4 >>>> 01445 Radebeul >>>> >>>> Telefon: +49 (0) 351 83933-61 >>>> Web: www.ellerhold.de >>>> Facebook: www.facebook.com/ellerhold.gruppe >>>> Instagram: www.instagram.com/ellerhold.gruppe >>>> Twitter: https://twitter.com/EllerholdGruppe >>>> >>>> Amtsgericht Dresden / HRB 23769 >>>> Vorstand: Stephan Ellerhold, Maximilian Ellerhold >>>> Vorsitzender des Aufsichtsrates: Frank Ellerhold >>>> >>>> >>>> >>>> ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche >>>> Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, >>>> so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser >>>> E-Mail und der Anlagen. >>>> >>>> Unsere Hinweise zum Datenschutz finden Sie hier: >>>> http://www.ellerhold.de/datenschutz/ >>>> >>>> This e-mail and its attachments are privileged and confidential. >>>> If you are not the intended recipient, please notify us and >>>> immediately delete this e-mail and its attachments. >>>> >>>> You can find our privacy policy here: >>>> http://www.ellerhold.de/datenschutz/ >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >> -- >> Senior Webentwickler >> Datenschutzbeauftragter >> >> Ellerhold Aktiengesellschaft >> Friedrich-List-Str. 4 >> 01445 Radebeul >> >> Telefon: +49 (0) 351 83933-61 >> Web: www.ellerhold.de >> Facebook: www.facebook.com/ellerhold.gruppe >> Instagram: www.instagram.com/ellerhold.gruppe >> Twitter: https://twitter.com/EllerholdGruppe >> >> Amtsgericht Dresden / HRB 23769 >> Vorstand: Stephan Ellerhold, Maximilian Ellerhold >> Vorsitzender des Aufsichtsrates: Frank Ellerhold >> >> >> >> ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche >> Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, >> so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser >> E-Mail und der Anlagen. >> >> Unsere Hinweise zum Datenschutz finden Sie hier: >> http://www.ellerhold.de/datenschutz/ >> >> This e-mail and its attachments are privileged and confidential. >> If you are not the intended recipient, please notify us and >> immediately delete this e-mail and its attachments. >> >> You can find our privacy policy here: >> http://www.ellerhold.de/datenschutz/ >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Hi, in my notes I do exactly that, no? The only thing you have to add is the distinction between the two WLANs and yes, it is done in post-auth. Alexander> On Wednesday, Apr 12, 2023 at 1:27 PM, Matthias K?hne | Ellerhold Aktiengesellschaft via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote: > Hi Alexander, > > I'm terribly sorry. We didnt have the "ntlm auth" parameter configured > on the DCs at all. I added it and it just works. > > Thanks for your help. > > Now I just need to figure out how I can make WLAN-specific LDAP-Group > authentication. > > e. g. production WLAN needs LDAP group "wlan_production" and management > WLAN needs the "wlan_management" group. > > I guess post_auth may be the correct place for that. > > You've helped tremendously, thanks again! > > Am 12.04.23 um 13:20 schrieb Alexander Harm || ApfelQ: > > Hi Matthias, > > > > we?re using Debian Bullseye with the backports repo. So version is a > > mixture of > > > > - Samba version 4.17.3-Debian > > - Samba version 4.17.7-Debian > > > > We?ve installed it directly on the DC?s as well. > > > > In my opinion using "ntlm auth = yes? should be fine. > > > > Did you try using a simple RADIUS secret? In my experience long > > secrets or ones containing special characters don?t work very well. I > > would use alphanumerical only and no longer than 16 chars. > > > > We successfully use it to authenticate UniFi clients and IKEv2 > > roadwarriors (using OPNsense). > > > > I believe you set > > > > lanman auth = yes > > > > as well, right? > > > > Does Samba give you anything in the logs? That way you might be able > > to narrow it down? > > > > Alexander > > > > On Wednesday, Apr 12, 2023 at 12:21 PM, Matthias K?hne | Ellerhold > > Aktiengesellschaft via samba <samba at lists.samba.org> wrote: > > Hello Alexander, > > > > thanks Alexander for these configuration snippets. > > > > Which version of Samba are you using? Is this on debian bullseye? > > Is the > > FreeRADIUS server installed on a DC or on a Domain Member? (I just > > tested the latter). > > > > is "ntlm auth = yes" OK for the DCs and the domain member or does it > > have to be "mschapv2-and-ntlmv2-only" for all servers (DCs + > > Member)? It > > looks like "yes" is broader and it should work? Sadly we need > > "yes" for > > other applications... > > > > Im sad to say that I cant get it to work. Neither "radtest" nor my > > Ubiquity APs... > > > > I always get > > > > (3) mschap: ERROR: When trying to update a password, this return > > status > > indicates that the value provided as the current password is not > > correct. [0xC000006A] > > (3) mschap: ERROR: MS-CHAP2-Response is incorrect > > > > Similar error while using "ntlm_auth" instead of the direct winbind > > connections. > > > > Using ntlm_auth with --username and --password works. Using ntlm_auth > > with --challenge results in the same error message above. > > > > Any help would be much appreciated, otherwise we're going to > > switch to > > SQL or file based auth (with cleartext password *shudder*). > > > > Thanks and have a nice day, Matthias. > > > > Am 06.04.23 um 09:56 schrieb Alexander Harm || ApfelQ via samba: > > > I can share my notes, we authenticate UniFi clients via > > > Freeradius against Samba AD. We also check group membership which > > > you might or might not need: > > > > > > ## 4 FreeRADIUS > > > > > > ### 4.1 Basics > > > > > > ```bash > > > apt install freeradius freeradius-ldap freeradius-utils > > > > > > # create new DH-params > > > openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048 > > > ``` > > > > > > ### 4.2 Configure Authentication > > > > > > - modify mschap to use winbind, uncomment the following lines > > > > > > ``` > > > # /etc/freeradius/3.0/mods-available/mschap > > > require_encryption = yes > > > require_strong = yes > > > winbind_username = "%{mschap:User-Name}" > > > winbind_domain = "%{%{mschap:NT-Domain}:-NTDOMAINNAME}" > > > winbind_retry_with_normalised_username = yes > > > ``` > > > > > > - add to global section in samba conf > > > > > > ``` > > > # /etc/samba/smb.conf > > > ntlm auth = mschapv2-and-ntlmv2-only > > > ``` > > > > > > - fix perms and restart > > > > > > ```bash > > > usermod -a -G winbindd_priv freerad > > > service freeradius restart > > > service samba-ad-dc restart > > > ``` > > > > > > ### 4.3 Configure LDAP (group information) > > > > > > - enable ldap > > > > > > ```bash > > > cd /etc/freeradius/3.0/mods-enabled > > > ln -s ../mods-available/ldap ldap > > > chown -h freerad:freerad ldap > > > ``` > > > > > > - modify module ldap to retrieve group information > > > > > > ``` > > > # /etc/freeradius/3.0/mods-available/ldap > > > server = '10.0.1.250' > > > server = '10.0.1.251' > > > identity = 'cn=dc01,cn=users,dc=ds,dc=example,dc=com' > > > password = *** > > > base_dn = 'cn=users,dc=ds,dc=example,dc=com' > > > user: filter > > > "(|(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})(userprincipalname=%{User-Name}))" > > > group: filter = "(objectClasse=group)" > > > group: membership_filter > > > "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})" > > > start_tls = yes > > > ca_file = /etc/ssl/certs/ca-certificates.crt > > > ``` > > > > > > ### 4.4 Configure EAP > > > > > > - add root.ca and services.ca to certificate store > > > > > > ```bash > > > cp /home/dcadmin/root.ca.crt /usr/local/share/ca-certificates/ > > > cp /home/dcadmin/service.ca.crt /usr/local/share/ca-certificates/ > > > update-ca-certificates > > > ``` > > > > > > - add radius cert and key > > > > > > ```bash > > > cp /home/dcadmin/service.radius.key > > > /etc/freeradius/3.0/certs/service.radius.key > > > cp /home/dcadmin/service.radius.crt > > > /etc/freeradius/3.0/certs/service.radius.crt > > > > > > chmod 640 /etc/freeradius/3.0/certs/service.radius.* > > > chown freerad:freerad /etc/freeradius/3.0/certs/service.radius.* > > > ``` > > > > > > - configure eap module to use peap per default > > > > > > ``` > > > # /etc/freeradius/3.0/mods-available/eap > > > default_eap_type = peap > > > > > > #private_key_password = whatever > > > private_key_file = ${certdir}/service.radius.key > > > certificate_file = ${certdir}/service.radius.crt > > > > > > tls_min_version = "1.2" > > > > > > cache: enable = yes > > > cache: name = ?<somename>.radius" > > > cache: persist_dir = "${logdir}/tlscache" > > > > > > peap: copy_request_to_tunnel = yes > > > ``` > > > > > > ### 4.5 Configure Clients > > > > > > - add client for UniFi > > > > > > ``` > > > # /etc/freeradius/3.0/clients.conf > > > client unifi { > > > ipaddr = 10.0.1.0/24 > > > secret = *** > > > } > > > ``` > > > > > > ### 4.6 Configure Authorization > > > > > > - devices/user via EAP > > > > > > ``` > > > # /etc/freeradius/3.0/sites-enabled/inner-tunnel > > > post-auth { > > > if (!(Ldap-Group == ?SOMEGROUP")) { > > > reject > > > } > > > ``` > > > > > > ### 4.7 Finish > > > > > > ```bash > > > service freeradius restart > > > ``` > > > > > > > On Thursday, Apr 06, 2023 at 9:46 AM, Matthias K?hne | Ellerhold > > > > Aktiengesellschaft via samba <samba at lists.samba.org > > > > (mailto:samba at lists.samba.org)> wrote: > > > > Hello Tim, Hello samba-people, > > > > > > > > is there an uptodate guide for authenticating via freeradius > > > > somewhere? > > > > > > > > I have some Ubiquiti APs plus a Cloud Key and I want to authenticate > > > > WLAN clients via WPA2-Enterprise instead of a (shared) PSK. > > > > > > > > It seems like > > > > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory > > > > is missing some steps (basic setup of freeradius). > > > > > > > > Can you write up some of your findings please? > > > > > > > > Thanks and happy holidays, > > > > Matthias. > > > > > > > > Am 04.04.23 um 10:38 schrieb Tim ODriscoll via samba: > > > > > Dear All, > > > > > > > > > > Well, this is very embarrassing.... > > > > > > > > > > It seems that running 'smbcontrol all reload-config' isn't > > > > > sufficient for reloading the ntlm config parameters. > > > > > > > > > > I tried restarting the whole samba service on the DC my FR box > > > > > was authenticating against (systemctl restart sernet-samba-ad) > > > > > and my test laptop is now connected to the network on the > > > > > correct VLAN. > > > > > > > > > > I apologise for wasting everyone's time - now I'll get back to > > > > > cleaning up all the config files and making sure BYOD still > > > > > works etc. > > > > > > > > > > Thank you, > > > > > > > > > > Tim > > > > -- > > > > Senior Webentwickler > > > > Datenschutzbeauftragter > > > > > > > > Ellerhold Aktiengesellschaft > > > > Friedrich-List-Str. 4 > > > > 01445 Radebeul > > > > > > > > Telefon: +49 (0) 351 83933-61 > > > > Web: www.ellerhold.de > > > > Facebook: www.facebook.com/ellerhold.gruppe > > > > Instagram: www.instagram.com/ellerhold.gruppe > > > > Twitter: https://twitter.com/EllerholdGruppe > > > > > > > > Amtsgericht Dresden / HRB 23769 > > > > Vorstand: Stephan Ellerhold, Maximilian Ellerhold > > > > Vorsitzender des Aufsichtsrates: Frank Ellerhold > > > > > > > > > > > > > > > > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche > > > > Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, > > > > so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser > > > > E-Mail und der Anlagen. > > > > > > > > Unsere Hinweise zum Datenschutz finden Sie hier: > > > > http://www.ellerhold.de/datenschutz/ > > > > > > > > This e-mail and its attachments are privileged and confidential. > > > > If you are not the intended recipient, please notify us and > > > > immediately delete this e-mail and its attachments. > > > > > > > > You can find our privacy policy here: > > > > http://www.ellerhold.de/datenschutz/ > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > > Senior Webentwickler > > Datenschutzbeauftragter > > > > Ellerhold Aktiengesellschaft > > Friedrich-List-Str. 4 > > 01445 Radebeul > > > > Telefon: +49 (0) 351 83933-61 > > Web: www.ellerhold.de > > Facebook: www.facebook.com/ellerhold.gruppe > > Instagram: www.instagram.com/ellerhold.gruppe > > Twitter: https://twitter.com/EllerholdGruppe > > > > Amtsgericht Dresden / HRB 23769 > > Vorstand: Stephan Ellerhold, Maximilian Ellerhold > > Vorsitzender des Aufsichtsrates: Frank Ellerhold > > > > > > > > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche > > Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, > > so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser > > E-Mail und der Anlagen. > > > > Unsere Hinweise zum Datenschutz finden Sie hier: > > http://www.ellerhold.de/datenschutz/ > > > > This e-mail and its attachments are privileged and confidential. > > If you are not the intended recipient, please notify us and > > immediately delete this e-mail and its attachments. > > > > You can find our privacy policy here: > > http://www.ellerhold.de/datenschutz/ > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > -- > Senior Webentwickler > Datenschutzbeauftragter > > Ellerhold Aktiengesellschaft > Friedrich-List-Str. 4 > 01445 Radebeul > > Telefon: +49 (0) 351 83933-61 > Web:www.ellerhold.de > Facebook:www.facebook.com/ellerhold.gruppe > Instagram:www.instagram.com/ellerhold.gruppe > Twitter:https://twitter.com/EllerholdGruppe > > Amtsgericht Dresden / HRB 23769 > Vorstand: Stephan Ellerhold, Maximilian Ellerhold > Vorsitzender des Aufsichtsrates: Frank Ellerhold > > > ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. > > Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ > > This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. > > You can find our privacy policy here: http://www.ellerhold.de/datenschutz/ > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba