[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: RE: EAP-MSCHAPv2 and AD Authentication w/o ntlm_auth
From: BOUILLOUD Corentin <cbouilloud () systra ! com>
Date: 2023-07-11 13:59:23
Message-ID: VI1PR01MB4559A77E376B2CD43547AFBFA731A () VI1PR01MB4559 ! eurprd01 ! prod ! exchangelabs ! com
[Download RAW message or body]
Thanks for the clarification.
ntlm_auth it is then :D
-----Message d'origine-----
De : Alan DeKok <aland@deployingradius.com>
Envoyé : lundi 10 juillet 2023 16:29
À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Objet : Re: EAP-MSCHAPv2 and AD Authentication w/o ntlm_auth
On Jul 10, 2023, at 10:11 AM, BOUILLOUD Corentin <cbouilloud@systra.com> wrote:
> I would like to use Kerberos instead of ntlm_auth to authenticate AD users with \
> FreeRADIUS.
Does Kerberos support MS-CHAP? Does Kerberos supply a clear-text password to \
FreeRADIUS?
The answer to both of those questions is "no".
> I configured 'mschap' module to directly use winbind daemon directly
> and, If I understood samba documentation properly, winbindd can't authenticate \
> users himself. It uses 'pam_winbind' module that we can configure to use Kerberos.
I don't think that's correct pam_winbind talks to the windbindd process. That \
process then talks to Samba, and then to AD. This is all documented:
https://www.samba.org/samba/docs/current/man-html/pam_winbind.8.html
pam_winbind is a PAM module that can authenticate users against the local \
domain by talking to the Winbind daemon.
> Could you confirm me that it is correct and/or possible in another way ?
You cannot use Kerberos to authenticate MS-CHAP. It's impossible.
> https://www.samba.org/samba/docs/current/man-html/pam_winbind.8.html
> krb5_auth
> pam_winbind can authenticate using Kerberos when winbindd is talking to an Active \
> Directory domain controller. Kerberos authentication must be enabled with this \
> parameter.
That means the pam_windbind software can talk Kerberos to winbindd, which then \
sends the Kerberos data to AD.
It doesn't mention MS-CHAP. Because it's impossible to use Kerberos to \
authenticate MS-CHAP.
The mschap module documents what's possible. If you want to do MS-CHAP \
authentication with AD, use Samba and ntlm_auth, or winbind. As is documented in the \
mschap module configuration.
Alan DeKok.
========================================================
This message has been scanned for malware. This message and any attachments (the \
"message") are confidential, intended solely for the addressees, and may contain \
legally privileged information. Any unauthorised use or dissemination is prohibited. \
E-mails are susceptible to alteration. Neither our company or any of its subsidiaries \
or affiliates shall be liable for the message if altered, changed or falsified. \
========================================================= Ce message a ete verifie et \
ne contient pas de programme malveillant. Ce message et toutes les pieces jointes \
(ci-apres le "message") sont confidentiels et susceptibles de contenir des \
informations couvertes par le secret professionnel. Ce message est etabli a \
l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non \
autorisee est interdite. Tout message electronique est susceptible d'alteration. \
Notre societe et ses filiales declinent toute responsabilite au titre de ce message \
s'il a ete altere, deforme falsifie. O \
=========================================================
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic