[Freeipa-users] NTLM SASL?

Simo Sorce simo at redhat.com
Thu Dec 22 12:48:35 UTC 2016 

On Thu, 2016-12-22 at 11:42 +0000, Brian Candler wrote:
> Question: does FreeIPA (or specifically the 389 directory server) 
> implement the NTLM SASL mechanism?
> 
> It appears not at first attempt:
> 
> # yum install cyrus-sasl-ntlm
> # ldapsearch -Y NTLM
> SASL/NTLM authentication started
> ldap_sasl_interactive_bind_s: Authentication method not supported (7)
>      additional info: sasl mechanism not supported
> 
> Now, under cn=config, I see:
> 
>      nsslapd-allowed-sasl-mechanisms:
> 
> (i.e. empty).
> 
> I tried changing this to "NTLM" and it accepted the change. If I try 
> changing it to "ntlm" I get "Server is unwilling to perform" - which is 
> a good sign, since clearly "NTLM" is valid.
> 
> However even after restarting the server, I still get "sasl mechanism 
> not supported" when I try the bind.
> 
> -=-=-=-
> 
> The reason I'm asking: I'm using FreeRADIUS for MSCHAP authentication, 
> and one of the things MSCHAP supports is a password change feature for 
> expired passwords. FreeRADIUS lets me shell out to an external process 
> to perform the password change:
> 
>                  local_cpw = "%{exec:/usr/local/sbin/freeipa-passwd 
> '%{mschap:User-Name}' '%{MS-CHAP-New-Cleartext-Password}' 
> '%{control:NT-Password}'"
> 
> Now, the last argument is the user's *old* NTLM password hash. So 
> ideally I would use this to authenticate to the FreeIPA server to 
> perform the password change - this would avoid the freeipa-passwd script 
> having to have any privileged credentials of its own.
> 
> But the only way I can think of doing that would be via a SASL NTLM bind.

Sorry Brian but we do not support SASL NTLM or SASL SPNEGO/NTLM at this
time, to do that you not only need the mechanism but also a way for that
mechanism to either contact a NT-like Domain Controller or have direct
access to the NT password hashes for any user you want to authenticate,
and none of that is set up by default.

We are planning to enable the integrated Samba server (which is used for
trusts only at the moment) to provide NTLM services for radius servers,
but it is not ready yet, although you may try to experiment with it.

Simo.
 
-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list