Authenticating users in Active Directory

0. Introduction

This section describes how to configure FreeRadius to authenticate users in Active Directory.

1. Software required

To authenticate users in Active Directory, make sure you have the following installed in your system:

• Kerberos development libraries
• OpenLDAP development libraries
• Samba
• Winbind
• FreeRadius

2. Configure & test Kerberos & Samba

Create or modify the file smb.conf to include the following minimum configuration (change for your Windows environment)

[global]
workgroup = domain
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = no
password server = ads.domain.com
realm = domain.com
[homes]
comment = Home Directories
browseable = No
writable = yes

Presumably you already have a functioning Active Directory domain, and know how to run it. AD is very dependent on DNS (domain name system) so first you'll need to add an entry for your server in your DNS.

Once you've added this entry, we need to configure kerberos. Edit the file krb5.conf and add in the realms section info concerning your domain.
Your krb5.conf file should look like

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_real = false
dns_lookup_kdc = false
[realms]
DOMAIN.COM = {
default_domain = domain.com
kdc = ads.domain.com
admin_server = ads.domain.com
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

Modify the lines

default_realm = DOMAIN.COM
DOMAIN.COM = {
default_domain = domain.com

And change domain.com for your domain. Mind the case.
For the lines

kdc = ad.domain.com
admin_server = ad.domain.com

You specifiy your Active Directory domain server.

Clock synchronization is so important in the security of the Kerberos protocol.
If clocks are not synchronized within a reasonable window, Kerberos will report fatal errors and refuse to function.
Clients attempting to authenticate from a machine with an inaccurate clock will be failed by the KDC in authentication attempts due to the time difference with the KDC's clock.
Ensure you have your clock properly configured. If you want to use an external source to synchronize your server use ntp.

The Network Time Protocol (NTP) is available for the time synchronization of servers.
Add an entry in your crontab to synchronize the clock of your computer with an external time source adding the next entry.

#Time synchronization
0 0 * * *        /usr/sbin/ntpdate server > /dev/null 2>&1

Save your changes. This entry will synchronize every midnight your clock with the one of server.

Even if your DNS servers are perfect in every way, it is a good idea to add important servers to your local /etc/hosts file. It speeds up lookups and provides a fallback in case the DNS servers go down. So, add the entry for your Active Directory domain server in /etc/hosts.

192.168.1.1        ad.domain.com    ad

Check that you get no error from typing

 kinit Administrator

or with other user who has enough privileges to read from Active Directory

This will ask you for the user's password. Make sure you know it beforehand.
Possible causes of error are:

• Clocks not properly synchronized
• DNS resolution

Edit the file /etc/nsswitch.conf and add winbind at the end of the following lines:

passwd:
group:
protocols:
services:
netgroup:
automount:

If everything went ok, start Samba and verify that it started. Check for errors in the Samba log. If errors are present, check again your smb.conf file. Once Samba has started correctly, do:

net join

This will join you to the domain. You can verify that your computer has joined the domain by typing

klist

This should display valid Kerberos tickets and one of those is from your Active Directory domain server.
Now, change the group that the lock winbindd_privileged belongs to

chgrp radiusd /opt/samba/var/locks/winbindd_privileged

Ajust the path and the group according to your system.

This is done because we'll run freeradius as the radiusd user, and this user needs to access this lock in order to perform the authentication against the Windows Domain

Now change its permissions

chmod 750 /opt/samba/var/locks/winbindd_privileged

And start winbind

/etc/init.d/winbindd start

Verify that windbind is working. This command pulls a list of users from AD

wbinfo -u

And check for errors in the winbindd log. If it started successfully, it will create another log file called log.wb-DOMAIN. Once we have winbindd running, activate both smbd and winbindd as services if they are not already activated.

All this has been done in order to get ntlm_auth to run. Try to auth with NTLM

ntlm_auth --request-nt-key --domain=domain.com --username=Administrator
password:
NT_STATUS_OK: Success (0x0)

This success message indicates that Samba is properly configured to authenticate users against AD, which is what we need for FreeRadius.

3. Configure Freeradius

Below are the relevant sections to configure in radiusd.conf

modules:

mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/opt/samba/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
} 

authorize:

mschap
eap 

authenticate:

Auth-Type MS-CHAP {
mschap
}
eap