Freeradius 3 - Multiple sub-domains - NTLM/SAMBA

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

Freeradius 3 - Multiple sub-domains - NTLM/SAMBA

Gregorio Luján Carboneras
Hello.

Could you please give me any advice regarding how to configure freeradius 3 (PEAP-MSCHAP2), to works with multiple sub-domains via NTLM/SAMBA?

I need to authenticate users from multiple sub-domains in “User Principal Name (UPN)” format:

-Example:

[hidden email]<mailto:[hidden email]>
[hidden email]<mailto:[hidden email]>
[hidden email]<mailto:[hidden email]>


I have joined the freeradius to the active directory.

When I request the users informatation via “wbinfo” command, I don´t obtain the domain information (only usernames). And only appears users from the principal domain (domain.com)

-Example:

Freeradius# wbinfo –u | grep user
user1


Actually I don't really understand how the authentication between the freeradius and the AD is performed (via NTLM, SAMBA, Kerberos ... ???)
Could someone please provide me with a link to documentation so I can understand it?



Thank you very much

De manera general,  “ANADAT TECHNOLOGY, S. L.”  garantiza la adopción de las medidas necesarias para asegurar el tratamiento confidencial de los datos de carácter personal, y le ofrece la posibilidad de ejercer su derecho de acceso, rectificación, supresión, oposición, portabilidad, limitación y decisiones individualizadas al tratamiento de sus datos personales, en los términos y condiciones previstos en el Reglamento General de Protección de Datos (RGPD), a través del correo electrónico [hidden email]<mailto:[hidden email]> .

La información confidencial que pudiera contener este mensaje está destinada para ser leída únicamente por el destinatario. Nadie excepto él podrá leer, usar, publicar o reproducir el contenido parcial o total de este mensaje. En caso de recibir un mensaje por error, por favor notifíquelo al remitente lo antes posible.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius 3 - Multiple sub-domains - NTLM/SAMBA

Alan DeKok-2
On Mar 23, 2020, at 8:30 AM, Gregorio Luján Carboneras <[hidden email]> wrote:.

>
>
> Could you please give me any advice regarding how to configure freeradius 3 (PEAP-MSCHAP2), to works with multiple sub-domains via NTLM/SAMBA?
>
> I need to authenticate users from multiple sub-domains in “User Principal Name (UPN)” format:
>
> -Example:
>
> [hidden email]
> [hidden email]
> [hidden email]

  There are a number of things going on here.  First is the above user name strings.  These are just text strings.  The goal is to figure out how to map these strings to whatever is in AD.

> I have joined the freeradius to the active directory.

  FreeRADIUS doesn't going AD.  Samba joins AD.  The distinction is important.

  FreeRADIUS gets names && MS-CHAP data, and passes it to ntlm_auth, which in turn passes it to winbind, which passes it to AD.

> When I request the users informatation via “wbinfo” command, I don´t obtain the domain information (only usernames). And only appears users from the principal domain (domain.com)
>
> -Example:
>
> Freeradius# wbinfo –u | grep user
> user1

  See the Samba and wbinfo documentation for how to join / query different domains.

> Actually I don't really understand how the authentication between the freeradius and the AD is performed (via NTLM, SAMBA, Kerberos ... ???)

  Samba.  This is documented on my web site:

http://deployingradius.com/documents/configuration/active_directory.html

> Could someone please provide me with a link to documentation so I can understand it?

  See above.

  What you will have to do is ensure that the AD server knows about all of the sub domains.  That way you only need to have Samba join "domain.com", and Active Directory will take care of the rest.

  You *should* be able then to check that all of the users can authentication.  *Don't* do this with PEAP.  It's about 3 steps too soon.

  Instead, use ntlm_auth:

ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password

  Do this for multiple users in each domain.  Do NOT try to do anything with FreeRADIUS until that works.

  i.e. if ntlm_auth can't authenticate users for multiple sub-domains, then no amount of poking FreeRADIUS will make it work.

  If ntlm_auth works for multiple users in multiple subdomains, then that's the hard part done.  The next step is to configure FreeRADIUS to pass the right domain information.  That's pretty easy.

  In the default configuration, edit proxy.conf, and define all of the domains:

domain.com {
}
it.domain.com {
}
sales.domain.com {
}

  After that, PEAP *should* just work.  If it doesn't, post the debug output here.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Freeradius 3 - Multiple sub-domains - NTLM/SAMBA

Gregorio Luján Carboneras
Thank you very much Alan.

I´m checking your documentation and I will perform some tests.


One more question please:

When I type the command "wbinfo -u", I receibe a list of usernames in AD (only username, not in UPN format)

How can I check if a username listed belongs to one subdomin or another one?  (if belongs to "@sales.company.com" or "@it.company.com")






-----Mensaje original-----
De: Freeradius-Users [mailto:freeradius-users-bounces+gregorio_lujan=[hidden email]] En nombre de Alan DeKok
Enviado el: lunes, 23 de marzo de 2020 14:09
Para: FreeRadius users mailing list
Asunto: Re: Freeradius 3 - Multiple sub-domains - NTLM/SAMBA

PRECAUCIÓN : Este correo electrónico se originó fuera de Anadat Technology. No haga clic en enlaces ni abra archivos adjuntos a menos que reconozca al remitente y sepa que el contenido es seguro.

On Mar 23, 2020, at 8:30 AM, Gregorio Luján Carboneras <[hidden email]> wrote:.

>
>
> Could you please give me any advice regarding how to configure freeradius 3 (PEAP-MSCHAP2), to works with multiple sub-domains via NTLM/SAMBA?
>
> I need to authenticate users from multiple sub-domains in “User Principal Name (UPN)” format:
>
> -Example:
>
> [hidden email]
> [hidden email]
> [hidden email]

  There are a number of things going on here.  First is the above user name strings.  These are just text strings.  The goal is to figure out how to map these strings to whatever is in AD.

> I have joined the freeradius to the active directory.

  FreeRADIUS doesn't going AD.  Samba joins AD.  The distinction is important.

  FreeRADIUS gets names && MS-CHAP data, and passes it to ntlm_auth, which in turn passes it to winbind, which passes it to AD.

> When I request the users informatation via “wbinfo” command, I don´t obtain the domain information (only usernames). And only appears users from the principal domain (domain.com)
>
> -Example:
>
> Freeradius# wbinfo –u | grep user
> user1

  See the Samba and wbinfo documentation for how to join / query different domains.

> Actually I don't really understand how the authentication between the freeradius and the AD is performed (via NTLM, SAMBA, Kerberos ... ???)

  Samba.  This is documented on my web site:

http://deployingradius.com/documents/configuration/active_directory.html

> Could someone please provide me with a link to documentation so I can understand it?

  See above.

  What you will have to do is ensure that the AD server knows about all of the sub domains.  That way you only need to have Samba join "domain.com", and Active Directory will take care of the rest.

  You *should* be able then to check that all of the users can authentication.  *Don't* do this with PEAP.  It's about 3 steps too soon.

  Instead, use ntlm_auth:

ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password

  Do this for multiple users in each domain.  Do NOT try to do anything with FreeRADIUS until that works.

  i.e. if ntlm_auth can't authenticate users for multiple sub-domains, then no amount of poking FreeRADIUS will make it work.

  If ntlm_auth works for multiple users in multiple subdomains, then that's the hard part done.  The next step is to configure FreeRADIUS to pass the right domain information.  That's pretty easy.

  In the default configuration, edit proxy.conf, and define all of the domains:

domain.com {
}
it.domain.com {
}
sales.domain.com {
}

  After that, PEAP *should* just work.  If it doesn't, post the debug output here.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
De manera general,  “ANADAT TECHNOLOGY, S. L.”  garantiza la adopción de las medidas necesarias para asegurar el tratamiento confidencial de los datos de carácter personal, y le ofrece la posibilidad de ejercer su derecho de acceso, rectificación, supresión, oposición, portabilidad, limitación y decisiones individualizadas al tratamiento de sus datos personales, en los términos y condiciones previstos en el Reglamento General de Protección de Datos (RGPD), a través del correo electrónico [hidden email]<mailto:[hidden email]> .

La información confidencial que pudiera contener este mensaje está destinada para ser leída únicamente por el destinatario. Nadie excepto él podrá leer, usar, publicar o reproducir el contenido parcial o total de este mensaje. En caso de recibir un mensaje por error, por favor notifíquelo al remitente lo antes posible.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius 3 - Multiple sub-domains - NTLM/SAMBA

Alan DeKok-2
On Mar 23, 2020, at 12:23 PM, Gregorio Luján Carboneras <[hidden email]> wrote:
>
> Thank you very much Alan.
>
> I´m checking your documentation and I will perform some tests.

  Good to hear.

> One more question please:
>
> When I type the command "wbinfo -u", I receibe a list of usernames in AD (only username, not in UPN format)
>
> How can I check if a username listed belongs to one subdomin or another one?  (if belongs to "@sales.company.com" or "@it.company.com")

  I don't really use wbinfo, so I don't know.  You should ask the Samba people how their software works/

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius 3 - Multiple sub-domains - NTLM/SAMBA

Matthew Newton-3
On Mon, 2020-03-23 at 15:45 -0400, Alan DeKok wrote:

> On Mar 23, 2020, at 12:23 PM, Gregorio Luján Carboneras <
> [hidden email]> wrote:
> >
> > When I type the command "wbinfo -u", I receibe a list of usernames
> > in AD (only username, not in UPN format)
> >
> > How can I check if a username listed belongs to one subdomin or
> > another one?  (if belongs to "@sales.company.com" or
> > "@it.company.com")
>
>   I don't really use wbinfo, so I don't know.  You should ask the
> Samba people how their software works/

I don't /think/ wbinfo will show that, it just gives the sAMAccountName
IIRC. You have to look up in LDAP.

--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html