Freeradius Active Directory Integration: Difference between revisions

From Alpine Linux
(page moved)
 
(replace /etc/init.d with rc-service)
 
(6 intermediate revisions by 4 users not shown)
Line 1: Line 1:
This documents explain how use Freeradius 2 with Microsoft Active Directory as an authentication oracle.
This document explains how to use Freeradius 2 with Microsoft Active Directory as an authentication server.


At the time of writing this document, the software used was:
At the time of writing this document, the software used was:
Line 13: Line 13:
Install samba, and kerberos
Install samba, and kerberos


# apk add samba winbind heimdal
{{cmd|# apk add {{pkg|samba}} {{pkg|winbind}} {{pkg|heimdal}}}}


Edit /etc/samba/smb.conf. Replace tags "<...>" with appropriate values for your environment:
Edit /etc/samba/smb.conf. Replace tags "<...>" with appropriate values for your environment:
Line 45: Line 45:
  client use spnego = yes
  client use spnego = yes


Edit /etc/krb5.conf. Replace tags "<...>" with appropriate values for your environment. Make sure to respect the letters' case when replacing tags:
Edit /etc/krb5.conf. Replace tags "<...>" with values appropriate to your environment. Make sure you retain upper/lower case when replacing tags:


  [libdefaults]
  [libdefaults]
Line 74: Line 74:
Start winbind:
Start winbind:


  # /etc/init.d/samba start
  # rc-service samba start


Check that AD integration works:
Check that AD integration works:
Line 81: Line 81:


You should get the list of all your domain users.
You should get the list of all your domain users.


== Configure Freeradius ==
== Configure Freeradius ==
Line 96: Line 95:


PostgreSQL can be configured using the scripts found in /etc/raddb/sql/postgres/*.sql.
PostgreSQL can be configured using the scripts found in /etc/raddb/sql/postgres/*.sql.
In addition to the scripts above, you should run the following statements against the radius database (replace "<user>" with user of radius DB):
GRANT USAGE ON SEQUENCE radpostauth_id_seq TO <user>;
GRANT USAGE ON SEQUENCE radacct_radacctid_seq TO <user>;


Create/Edit /etc/raddb/modules/ntlm_auth. Replace "MYDOMAIN" with your domain name:
Create/Edit /etc/raddb/modules/ntlm_auth. Replace "MYDOMAIN" with your domain name:
Line 104: Line 108:
  }
  }


You have to list ntlm_auth in the authenticate sections of each the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file:
You have to list ntlm_auth in the authenticate sections of each of the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file:


  authenticate {
  authenticate {
Line 116: Line 120:
  DEFAULT    Auth-Type = ntlm_auth
  DEFAULT    Auth-Type = ntlm_auth


Find the mschap module in /etc/raddb/modules/mschap file, and look for the line containing ntlm_auth = . It is commented out by default, and should be uncommented, and edited to be as follows (replace "MYDOMAIN" with your domain name):
Find the mschap module in /etc/raddb/modules/mschap file, and look for the line containing ntlm_auth = . It is commented out by default.
It should be uncommented and edited as follows (replace "MYDOMAIN" with your domain name):


  ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
  ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


Configure your clients editing /etc/raddb/clients.conf.
Configure your clients by editing /etc/raddb/clients.conf.


Start radius in debug mode in order to check that everything works:
Start radius in debug mode in order to check that everything works:
Line 129: Line 134:


  # rc-update add freeradius default
  # rc-update add freeradius default
  # /etc/init.d/freeradius start
  # rc-service freeradius start
 
Accounting into SQL is not enabled by default. In /etc/raddb/sites-enabled/default remove the comment from "sql" under section accounting:
 
accounting {
...
sql
...
}
 
[[Category:Networking]]
[[Category:SQL]]

Latest revision as of 10:26, 17 November 2023

This document explains how to use Freeradius 2 with Microsoft Active Directory as an authentication server.

At the time of writing this document, the software used was:

  • Microsoft Windows Server 2003 R2 SP2
  • Alpine 2.0.2
  • freeradius-2.1.10-r7
  • freeradius-postgresql-2.1.10-r7


Join the domain

Install samba, and kerberos

# apk add samba winbind heimdal

Edit /etc/samba/smb.conf. Replace tags "<...>" with appropriate values for your environment:

[global]
workgroup = <MYWORKGROUP>
#change the netbios name as desired
netbios name = RADIUS
realm = <MYREALM>
server string = 
security = ads
encrypt passwords = yes
password server = <DCNAME>.<MYDOMAIN>
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = False
local master = No
domain master = False
dns proxy = No
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
# If you don't use SMB signing 
# change the following setting to "no"
client use spnego = yes

Edit /etc/krb5.conf. Replace tags "<...>" with values appropriate to your environment. Make sure you retain upper/lower case when replacing tags:

[libdefaults]
default_realm = <MYREALM>
[realms]
<MYREALM> = {
kdc = <DCNAME>.<MYDOMAIN>
default_domain = <MYDOMAIN>
}
[domain_realm]
.<mydomain> = .<MYREALM>
<mydomain> = <MYREALM>

Change /etc/conf.d/samba in:

daemon_list="winbindd"

Set autostart:

# rc-update add samba default

Join domain:

# net ads join -S <DCNAME>.<MYDOMAIN> -U Administrator

You should get a message that you have joined the domain.

Start winbind:

# rc-service samba start

Check that AD integration works:

# wbinfo -u

You should get the list of all your domain users.

Configure Freeradius

Install freeradius-postgres

# apk add freeradius-postgres

Edit /etc/raddb/sql.conf to match the settings of your postgresql server:

server = "<fqdn>"
login = "<username>"
password = "<password>"

PostgreSQL can be configured using the scripts found in /etc/raddb/sql/postgres/*.sql.

In addition to the scripts above, you should run the following statements against the radius database (replace "<user>" with user of radius DB):

GRANT USAGE ON SEQUENCE radpostauth_id_seq TO <user>;
GRANT USAGE ON SEQUENCE radacct_radacctid_seq TO <user>;

Create/Edit /etc/raddb/modules/ntlm_auth. Replace "MYDOMAIN" with your domain name:

exec ntlm_auth {
               wait = yes
               program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}

You have to list ntlm_auth in the authenticate sections of each of the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file:

authenticate {
       ...
       ntlm_auth
       ...
}

Add the following text to the top of the users file:

DEFAULT     Auth-Type = ntlm_auth

Find the mschap module in /etc/raddb/modules/mschap file, and look for the line containing ntlm_auth = . It is commented out by default. It should be uncommented and edited as follows (replace "MYDOMAIN" with your domain name):

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

Configure your clients by editing /etc/raddb/clients.conf.

Start radius in debug mode in order to check that everything works:

# radiusd -X

If everything is ok, press Ctrl^C and set it for autostart:

# rc-update add freeradius default
# rc-service freeradius start

Accounting into SQL is not enabled by default. In /etc/raddb/sites-enabled/default remove the comment from "sql" under section accounting:

accounting {
...
sql
...
}