Re: [Freeipa-users] NTLM SASL?

Thu, 22 Dec 2016 06:37:21 -0800 

On 22/12/2016 12:48, Simo Sorce wrote:

Sorry Brian but we do not support SASL NTLM or SASL SPNEGO/NTLM at this
time, to do that you not only need the mechanism but also a way for that
mechanism to either contact a NT-like Domain Controller or have direct
access to the NT password hashes for any user you want to authenticate,
and none of that is set up by default.
I installed ipa-server-trust-ad, and FreeIPA is storing the ipaNTHash attribute. The RADIUS server uses a privileged principal which has permissions to read out this attribute, and then it uses that to authenticate users. 


All works nicely - even password changing for expired passwords over 
MSCHAPv2. However the password-change script currently needs a 
privileged FreeIPA principal (permitted to change anyone's password), 
which also needs to be in passSyncManagersDNs so that the changed 
passwords aren't immediately expired. And unfortunately that means it 
also bypasses FreeIPA's password complexity tests, so I have to 
implement those externally.


Some FreeRADIUS config snippets below, in case anyone's interested.


We are planning to enable the integrated Samba server (which is used for
trusts only at the moment) to provide NTLM services for radius servers,
but it is not ready yet, although you may try to experiment with it.



I could give it a try, although if it's not in 4.4.0 I'd have to set up 
a separate testbed for it.  If the new code includes NTLM password 
changing that would certainly simplify things a lot.


Cheers,

Brian.


# mods-available/ldap

    update {
        control:NT-Password        := 'ipaNTHash'
        control:Tmp-String-9        := 'krbPasswordExpiration'
    }

    user {
        base_dn = "${..base_dn}"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        scope = "one"

        # 
https://www.redhat.com/archives/freeipa-users/2011-June/msg00078.html

        access_attribute = "nsaccountlock"
        access_positive = no
    }

    group {
        membership_attribute = 'memberOf'
        name_attributes = 'cn'
        cacheable_dn = 'yes'
        cacheable_name = 'no'
    }

# mods-available/eap

eap {
  mschapv2 {
    send_error = yes
  }
}

# mods-available/mschap


                local_cpw = "%{exec:/usr/local/sbin/freeipa-passwd 
'%{mschap:User-Name}' '%{MS-CHAP-New-Cleartext-Password}' 
'%{control:NT-Password}'}"


# policy.d

password_expiry {

  # 
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/modules/mschap.rst

  # http://wiki.freeradius.org/config/run_time_variables
  if (&control:Tmp-String-9 < "%D%H%G00Z") {
    update control {
      &SMB-Account-Ctrl-Text := '[Ue]'
    }
  } else {
    update control {
      &SMB-Account-Ctrl-Text := '[U]'
    }
  }
}


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






















					Reply via email to