Freeradius Active Directory Integration

From Alpine Linux

This document explains how to use Freeradius 2 with Microsoft Active Directory as an authentication server.

At the time of writing this document, the software used was:

  • Microsoft Windows Server 2003 R2 SP2
  • Alpine 2.0.2
  • freeradius-2.1.10-r7
  • freeradius-postgresql-2.1.10-r7


Join the domain

Install samba, and kerberos

# apk add samba winbind heimdal

Edit /etc/samba/smb.conf. Replace tags "<...>" with appropriate values for your environment:

[global]
workgroup = <MYWORKGROUP>
#change the netbios name as desired
netbios name = RADIUS
realm = <MYREALM>
server string = 
security = ads
encrypt passwords = yes
password server = <DCNAME>.<MYDOMAIN>
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = False
local master = No
domain master = False
dns proxy = No
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
# If you don't use SMB signing 
# change the following setting to "no"
client use spnego = yes

Edit /etc/krb5.conf. Replace tags "<...>" with values appropriate to your environment. Make sure you retain upper/lower case when replacing tags:

[libdefaults]
default_realm = <MYREALM>
[realms]
<MYREALM> = {
kdc = <DCNAME>.<MYDOMAIN>
default_domain = <MYDOMAIN>
}
[domain_realm]
.<mydomain> = .<MYREALM>
<mydomain> = <MYREALM>

Change /etc/conf.d/samba in:

daemon_list="winbindd"

Set autostart:

# rc-update add samba default

Join domain:

# net ads join -S <DCNAME>.<MYDOMAIN> -U Administrator

You should get a message that you have joined the domain.

Start winbind:

# rc-service samba start

Check that AD integration works:

# wbinfo -u

You should get the list of all your domain users.

Configure Freeradius

Install freeradius-postgres

# apk add freeradius-postgres

Edit /etc/raddb/sql.conf to match the settings of your postgresql server:

server = "<fqdn>"
login = "<username>"
password = "<password>"

PostgreSQL can be configured using the scripts found in /etc/raddb/sql/postgres/*.sql.

In addition to the scripts above, you should run the following statements against the radius database (replace "<user>" with user of radius DB):

GRANT USAGE ON SEQUENCE radpostauth_id_seq TO <user>;
GRANT USAGE ON SEQUENCE radacct_radacctid_seq TO <user>;

Create/Edit /etc/raddb/modules/ntlm_auth. Replace "MYDOMAIN" with your domain name:

exec ntlm_auth {
               wait = yes
               program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}

You have to list ntlm_auth in the authenticate sections of each of the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file:

authenticate {
       ...
       ntlm_auth
       ...
}

Add the following text to the top of the users file:

DEFAULT     Auth-Type = ntlm_auth

Find the mschap module in /etc/raddb/modules/mschap file, and look for the line containing ntlm_auth = . It is commented out by default. It should be uncommented and edited as follows (replace "MYDOMAIN" with your domain name):

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

Configure your clients by editing /etc/raddb/clients.conf.

Start radius in debug mode in order to check that everything works:

# radiusd -X

If everything is ok, press Ctrl^C and set it for autostart:

# rc-update add freeradius default
# rc-service freeradius start

Accounting into SQL is not enabled by default. In /etc/raddb/sites-enabled/default remove the comment from "sql" under section accounting:

accounting {
...
sql
...
}