Embedded Files
Modo 02
Ajuste aconfiguração em sites-enabled/inner-tunnel para usar MSCHAPv2:
authenticate {
...
# O módulo mschap cuida da validação se o NT-Password estiver presente
mschap
...
}
No FreeRADIUS em mods-enabled/ldap ajuste o modulo LDAP:
update {
control:NT-Password := "ipaNTPassword"
}
OU
ldap {
...
user {
# Mapeia o atributo do IPA para o RADIUS
update {
control:NT-Password := "ipaNTPassword"
}
}
}
Configure EAP-PEAP (Em desenvolvimento)
Configure EAP-PEAP (Em desenvolvimento)
# cd /etc/raddb/mods-enable
# vi /etc/raddb/mods-enable/eap
....
eap {
....
default_eap_type = peap
....
peap {
default_eap_type = mschapv2
....
Configure
# vi /etc/raddb/sites-enabled/default
authorize {
...
mschap
...
authenticate {
...
Auth-Type MS-CHAP {
mschap
}
...
mschap
...
# vi /etc/raddb/sites-enabled/inner-tunnel
authorize {
...
mschap
...
authenticate {
...
Auth-Type MS-CHAP {
mschap
}
...
mschap
...
# ipa service-add cifs/samba-hl251.local.domain
# ipa-getkeytab -s ipa-server -p cifs/samba-hl251.local.domain -k /etc/samba/samba.keytab
# ipa permission-add "CIFS server can read user passwords" --attrs={ipaNTHash,ipaNTSecurityIdentifier} --type=user --right={read,search,compare} --bindtype=permission
# ipa privilege-add "CIFS server privilege"
# ipa privilege-add-permission "CIFS server privilege" --permission="CIFS server can read user passwords"
# ipa role-add "CIFS server"
# ipa role-add-privilege "CIFS server" --privilege="CIFS server privilege"
# # ipa role-add-member "CIFS server" --services=cifs/hl251.local.domain
# vi /etc/samba/smb.conf
[global]
workgroup = DOMAIN
realm = LOCAL.DOMAIN
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
security = ads
https://gist.github.com/nazunalika/245f0f3c174a9ae129078567b0d645f6
# ipa service-add 'radius/hl251.local.domain'
# ipa service-add-host --hosts=hl251.local.domain radius/hl251.local.domain
# ipa role-add "samba/radius auth"
# ipa privilege-add "NTLM Password Hash Access"
# ipa permission-add "Read Samba NTLM RC4 Password Hash attribute" --attrs=ipaNTHash --attrs=sambaNTPassword --attrs=sambaPwdLastSet --attrs=sambaSID --attrs=sambaAcctFlags --attrs=sambaDomainName --type=user --right=read --right=compare
# ipa privilege-add-permission "NTLM Password Hash Access" --permissions="Read Samba NTLM RC4 Password Hash attribute"
# ipa role-add-member "samba/radius auth" --services="radius/hl251.local.domain"
# ipa-getkeytab -p 'radius/hl251.local.domain' -s hl251.local.domain -k /etc/raddb/radius.keytab
# chown root:radiusd /etc/raddb/radius.keytab
# chmod 640 /etc/raddb/radius.keytab
# mkdir -p /etc/systemd/system/radiusd.service.d
# cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
ExecStartPre=-/usr/bin/kdestroy -A
ExecStopPost=-/usr/bin/kdestroy -A
EOF
# systemctl daemon-reload
# ldapmodify -x -D 'cn=Directory Manager' -W
Enter password: <admin password>
dn: krbprincipalname=radius/hl251.local.domain@LOCAL.DOMAIN,cn=services,cn=accounts,dc=local,dc=domain
changetype: modify
add: objectClass
objectClass: simpleSecurityObject
-
add: userPassword
userPassword: ldap123
Configurar o serviço NTLM
# dnf install ntlm_auth
# vi mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
#program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
program = "/usr/bin/ntlm_auth --request-nt-key --domain=LOCAL.DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}
# vi mods-enabled/mschap
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
Ajustar permissão do serviço WINBIND
/var/lib/samba/winbindd_privileged
# usermod -aG wbpriv radiusd
Reinicie o serviço.
# systemctl restart radiusd.service
Configure EAP-PEAP (Em desenvolvimento)
Configure EAP-PEAP (Em desenvolvimento)
# cd /etc/raddb/mods-enable
# vi /etc/raddb/mods-enable/eap
....
eap {
....
default_eap_type = peap
....
peap {
default_eap_type = mschapv2
....
Configure
# vi /etc/raddb/sites-enabled/default
authorize {
...
mschap
...
authenticate {
...
Auth-Type MS-CHAP {
mschap
}
...
mschap
...
# vi /etc/raddb/sites-enabled/inner-tunnel
authorize {
...
mschap
...
authenticate {
...
Auth-Type MS-CHAP {
mschap
}
...
mschap
...
# ipa service-add cifs/samba-hl251.local.domain
# ipa-getkeytab -s ipa-server -p cifs/samba-hl251.local.domain -k /etc/samba/samba.keytab
# ipa permission-add "CIFS server can read user passwords" --attrs={ipaNTHash,ipaNTSecurityIdentifier} --type=user --right={read,search,compare} --bindtype=permission
# ipa privilege-add "CIFS server privilege"
# ipa privilege-add-permission "CIFS server privilege" --permission="CIFS server can read user passwords"
# ipa role-add "CIFS server"
# ipa role-add-privilege "CIFS server" --privilege="CIFS server privilege"
# # ipa role-add-member "CIFS server" --services=cifs/hl251.local.domain
# vi /etc/samba/smb.conf
[global]
workgroup = DOMAIN
realm = LOCAL.DOMAIN
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
security = ads
https://gist.github.com/nazunalika/245f0f3c174a9ae129078567b0d645f6
# ipa service-add 'radius/hl251.local.domain'
# ipa service-add-host --hosts=hl251.local.domain radius/hl251.local.domain
# ipa role-add "samba/radius auth"
# ipa privilege-add "NTLM Password Hash Access"
# ipa permission-add "Read Samba NTLM RC4 Password Hash attribute" --attrs=ipaNTHash --attrs=sambaNTPassword --attrs=sambaPwdLastSet --attrs=sambaSID --attrs=sambaAcctFlags --attrs=sambaDomainName --type=user --right=read --right=compare
# ipa privilege-add-permission "NTLM Password Hash Access" --permissions="Read Samba NTLM RC4 Password Hash attribute"
# ipa role-add-member "samba/radius auth" --services="radius/hl251.local.domain"
# ipa-getkeytab -p 'radius/hl251.local.domain' -s hl251.local.domain -k /etc/raddb/radius.keytab
# chown root:radiusd /etc/raddb/radius.keytab
# chmod 640 /etc/raddb/radius.keytab
# mkdir -p /etc/systemd/system/radiusd.service.d
# cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
ExecStartPre=-/usr/bin/kdestroy -A
ExecStopPost=-/usr/bin/kdestroy -A
EOF
# systemctl daemon-reload
# ldapmodify -x -D 'cn=Directory Manager' -W
Enter password: <admin password>
dn: krbprincipalname=radius/hl251.local.domain@LOCAL.DOMAIN,cn=services,cn=accounts,dc=local,dc=domain
changetype: modify
add: objectClass
objectClass: simpleSecurityObject
-
add: userPassword
userPassword: ldap123
Configurar o serviço NTLM
# dnf install ntlm_auth
# vi mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
#program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
program = "/usr/bin/ntlm_auth --request-nt-key --domain=LOCAL.DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}
# vi mods-enabled/mschap
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
Ajustar permissão do serviço WINBIND
/var/lib/samba/winbindd_privileged
# usermod -aG wbpriv radiusd
Reinicie o serviço.
# systemctl restart radiusd.service
Link: 1 / 2 / 3 / 4 / 5
Page updated
Google Sites
Report abuse