Freeradius Active Directory Integration: Difference between revisions
Dubiousjim (talk | contribs) (Category:SQL) |
(replace /etc/init.d with rc-service) |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
This | This document explains how to use Freeradius 2 with Microsoft Active Directory as an authentication server. | ||
At the time of writing this document, the software used was: | At the time of writing this document, the software used was: | ||
| Line 13: | Line 13: | ||
Install samba, and kerberos | Install samba, and kerberos | ||
{{cmd|# apk add {{pkg|samba}} {{pkg|winbind}} {{pkg|heimdal}}}} | |||
Edit /etc/samba/smb.conf. Replace tags "<...>" with appropriate values for your environment: | Edit /etc/samba/smb.conf. Replace tags "<...>" with appropriate values for your environment: | ||
| Line 45: | Line 45: | ||
client use spnego = yes | client use spnego = yes | ||
Edit /etc/krb5.conf. Replace tags "<...>" with appropriate | Edit /etc/krb5.conf. Replace tags "<...>" with values appropriate to your environment. Make sure you retain upper/lower case when replacing tags: | ||
[libdefaults] | [libdefaults] | ||
| Line 74: | Line 74: | ||
Start winbind: | Start winbind: | ||
# | # rc-service samba start | ||
Check that AD integration works: | Check that AD integration works: | ||
| Line 81: | Line 81: | ||
You should get the list of all your domain users. | You should get the list of all your domain users. | ||
== Configure Freeradius == | == Configure Freeradius == | ||
| Line 97: | Line 96: | ||
PostgreSQL can be configured using the scripts found in /etc/raddb/sql/postgres/*.sql. | PostgreSQL can be configured using the scripts found in /etc/raddb/sql/postgres/*.sql. | ||
In addition to the scripts above, you should run the following statements against the radius database (replace "<user>" with user of radius DB): | |||
GRANT USAGE ON SEQUENCE radpostauth_id_seq TO <user>; | GRANT USAGE ON SEQUENCE radpostauth_id_seq TO <user>; | ||
| Line 109: | Line 108: | ||
} | } | ||
You have to list ntlm_auth in the authenticate sections of each the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file: | You have to list ntlm_auth in the authenticate sections of each of the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file: | ||
authenticate { | authenticate { | ||
| Line 121: | Line 120: | ||
DEFAULT Auth-Type = ntlm_auth | DEFAULT Auth-Type = ntlm_auth | ||
Find the mschap module in /etc/raddb/modules/mschap file, and look for the line containing ntlm_auth = . It is commented out by default | Find the mschap module in /etc/raddb/modules/mschap file, and look for the line containing ntlm_auth = . It is commented out by default. | ||
It should be uncommented and edited as follows (replace "MYDOMAIN" with your domain name): | |||
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" | ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" | ||
Configure your clients editing /etc/raddb/clients.conf. | Configure your clients by editing /etc/raddb/clients.conf. | ||
Start radius in debug mode in order to check that everything works: | Start radius in debug mode in order to check that everything works: | ||
| Line 134: | Line 134: | ||
# rc-update add freeradius default | # rc-update add freeradius default | ||
# | # rc-service freeradius start | ||
Accounting into SQL is not enabled by default. In /etc/raddb/sites-enabled/default remove the comment from "sql" under section accounting: | Accounting into SQL is not enabled by default. In /etc/raddb/sites-enabled/default remove the comment from "sql" under section accounting: | ||
Latest revision as of 10:26, 17 November 2023
This document explains how to use Freeradius 2 with Microsoft Active Directory as an authentication server.
At the time of writing this document, the software used was:
- Microsoft Windows Server 2003 R2 SP2
- Alpine 2.0.2
- freeradius-2.1.10-r7
- freeradius-postgresql-2.1.10-r7
Join the domain
Install samba, and kerberos
# apk add samba winbind heimdal
Edit /etc/samba/smb.conf. Replace tags "<...>" with appropriate values for your environment:
[global] workgroup = <MYWORKGROUP> #change the netbios name as desired netbios name = RADIUS realm = <MYREALM> server string = security = ads encrypt passwords = yes password server = <DCNAME>.<MYDOMAIN> log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = False local master = No domain master = False dns proxy = No # use uids from 10000 to 20000 for domain users idmap uid = 10000-20000 # use gids from 10000 to 20000 for domain groups idmap gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes # If you don't use SMB signing # change the following setting to "no" client use spnego = yes
Edit /etc/krb5.conf. Replace tags "<...>" with values appropriate to your environment. Make sure you retain upper/lower case when replacing tags:
[libdefaults]
default_realm = <MYREALM>
[realms]
<MYREALM> = {
kdc = <DCNAME>.<MYDOMAIN>
default_domain = <MYDOMAIN>
}
[domain_realm]
.<mydomain> = .<MYREALM>
<mydomain> = <MYREALM>
Change /etc/conf.d/samba in:
daemon_list="winbindd"
Set autostart:
# rc-update add samba default
Join domain:
# net ads join -S <DCNAME>.<MYDOMAIN> -U Administrator
You should get a message that you have joined the domain.
Start winbind:
# rc-service samba start
Check that AD integration works:
# wbinfo -u
You should get the list of all your domain users.
Configure Freeradius
Install freeradius-postgres
# apk add freeradius-postgres
Edit /etc/raddb/sql.conf to match the settings of your postgresql server:
server = "<fqdn>" login = "<username>" password = "<password>"
PostgreSQL can be configured using the scripts found in /etc/raddb/sql/postgres/*.sql.
In addition to the scripts above, you should run the following statements against the radius database (replace "<user>" with user of radius DB):
GRANT USAGE ON SEQUENCE radpostauth_id_seq TO <user>; GRANT USAGE ON SEQUENCE radacct_radacctid_seq TO <user>;
Create/Edit /etc/raddb/modules/ntlm_auth. Replace "MYDOMAIN" with your domain name:
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}
You have to list ntlm_auth in the authenticate sections of each of the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file:
authenticate {
...
ntlm_auth
...
}
Add the following text to the top of the users file:
DEFAULT Auth-Type = ntlm_auth
Find the mschap module in /etc/raddb/modules/mschap file, and look for the line containing ntlm_auth = . It is commented out by default. It should be uncommented and edited as follows (replace "MYDOMAIN" with your domain name):
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Configure your clients by editing /etc/raddb/clients.conf.
Start radius in debug mode in order to check that everything works:
# radiusd -X
If everything is ok, press Ctrl^C and set it for autostart:
# rc-update add freeradius default # rc-service freeradius start
Accounting into SQL is not enabled by default. In /etc/raddb/sites-enabled/default remove the comment from "sql" under section accounting:
accounting {
...
sql
...
}