How does one unify authentication for various technologies across a mixed operating system environment and deploy it transparently to users?
Well, I have decided to use freeRADIUS as the entry point for our roaming wireless and vpn authentication. freeRADIUS then passes the credentials on to Active Directory for authentication. In this part, I will be focusing on getting the box authenticating against Active Directory and the installation of freeRADIUS.
In order for this to work, a Linux box needs to be setup with samba and winbind to work nicely with Active Directory. If you are experienced with this setup, it can be done in as little as 30 minutes.
I have a basic configuration file for samba that should work with a Windows 2003 Active Directory domain for nearly anyone.
HINT: make sure time is synced within 5mins of the Active Directory server or things tend to break.
The only thing left to do is join the box to the domain. The command below should be sufficient to do this. You will need to make sure this machine has a static ip address, and it should have a A record and ptr record in DNS for the hostname of the box. If not, Active Directory may complain about it with a cryptic error message.
Once that is complete and there are no errors, start winbind. On some Linux distributions the winbind init script is apart of the samba init script (like Gentoo).
Well, I have decided to use freeRADIUS as the entry point for our roaming wireless and vpn authentication. freeRADIUS then passes the credentials on to Active Directory for authentication. In this part, I will be focusing on getting the box authenticating against Active Directory and the installation of freeRADIUS.
In order for this to work, a Linux box needs to be setup with samba and winbind to work nicely with Active Directory. If you are experienced with this setup, it can be done in as little as 30 minutes.
I have a basic configuration file for samba that should work with a Windows 2003 Active Directory domain for nearly anyone.
[global]
security = ads
netbios name = server01
server string = server01
workgroup = DOMAIN
realm = DOMAIN.COM # ip of active directory server
password server = x.x.x.x
idmap uid = 10000-29999
idmap gid = 10000-29999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
# You will need to create /home/DOMAIN if you plan to allow # user to log-in, and setup pam.d stuff
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
# ip of wins server
wins server = x.x.x.x
encrypt passwords = yes
server signing = auto
name resolve order = wins host bcast
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.COM = {
kdc = x.x.x.x:88
}
[domain_realm]
.dnsdomain.DOMAIN.COM = DOMAIN.COM
DOMAIN.COM = DOMAIN.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
passwd: files winbind
shadow: files winbind
group: files winbind
protocols: files winbind
services: files winbind
netgroup: files winbind
automount: files winbind
HINT: make sure time is synced within 5mins of the Active Directory server or things tend to break.
The only thing left to do is join the box to the domain. The command below should be sufficient to do this. You will need to make sure this machine has a static ip address, and it should have a A record and ptr record in DNS for the hostname of the box. If not, Active Directory may complain about it with a cryptic error message.
#~> net join -U Administrator
Once that is complete and there are no errors, start winbind. On some Linux distributions the winbind init script is apart of the samba init script (like Gentoo).
#~> /etc/init.d/winbind
You should be able to do a wbinfo and get something like below:
#~> wbinfo -a username%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
After this is working, then its time to install freeRADIUS. I would heavily recommend installing from your distribution's package management system. This is a common application, and should be available for the big distributions.
There is one thing that will need to be done in order to get freeRADIUS to work nicely with winbind. If this is not done, then radius will not work right.
#~> cd /var/cache/samba/winbindd_privileged/
#~> setfacl -m u:radiusd:rx winbindd_privileged
Note: on some distributions, "acl" needs to be added to /etc/fstab. ACL options for the file system type need to be included in the kernel configuration. On systems like CentOS and OpenSuSE this shouldn't be a problem.
In the next part coming soon. I will discuss how to configure radius for EAP/PEAP authentication for wireless networks.
#~> wbinfo -a username%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
After this is working, then its time to install freeRADIUS. I would heavily recommend installing from your distribution's package management system. This is a common application, and should be available for the big distributions.
There is one thing that will need to be done in order to get freeRADIUS to work nicely with winbind. If this is not done, then radius will not work right.
#~> cd /var/cache/samba/winbindd_privileged/
#~> setfacl -m u:radiusd:rx winbindd_privileged
Note: on some distributions, "acl" needs to be added to /etc/fstab. ACL options for the file system type need to be included in the kernel configuration. On systems like CentOS and OpenSuSE this shouldn't be a problem.
In the next part coming soon. I will discuss how to configure radius for EAP/PEAP authentication for wireless networks.
Comments for Unifying Authentication with freeRADIUS - Part I
Leave a comment