[Freeipa-users] NTLM SASL?

Brian Candler b.candler at pobox.com
Thu Dec 22 14:32:09 UTC 2016 

On 22/12/2016 12:48, Simo Sorce wrote:
> Sorry Brian but we do not support SASL NTLM or SASL SPNEGO/NTLM at this
> time, to do that you not only need the mechanism but also a way for that
> mechanism to either contact a NT-like Domain Controller or have direct
> access to the NT password hashes for any user you want to authenticate,
> and none of that is set up by default.
I installed ipa-server-trust-ad, and FreeIPA is storing the ipaNTHash 
attribute. The RADIUS server uses a privileged principal which has 
permissions to read out this attribute, and then it uses that to 
authenticate users.

All works nicely - even password changing for expired passwords over 
MSCHAPv2. However the password-change script currently needs a 
privileged FreeIPA principal (permitted to change anyone's password), 
which also needs to be in passSyncManagersDNs so that the changed 
passwords aren't immediately expired. And unfortunately that means it 
also bypasses FreeIPA's password complexity tests, so I have to 
implement those externally.

Some FreeRADIUS config snippets below, in case anyone's interested.

> We are planning to enable the integrated Samba server (which is used for
> trusts only at the moment) to provide NTLM services for radius servers,
> but it is not ready yet, although you may try to experiment with it.

I could give it a try, although if it's not in 4.4.0 I'd have to set up 
a separate testbed for it.  If the new code includes NTLM password 
changing that would certainly simplify things a lot.

Cheers,

Brian.


# mods-available/ldap

     update {
         control:NT-Password        := 'ipaNTHash'
         control:Tmp-String-9        := 'krbPasswordExpiration'
     }

     user {
         base_dn = "${..base_dn}"
         filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
         scope = "one"
         # 
https://www.redhat.com/archives/freeipa-users/2011-June/msg00078.html
         access_attribute = "nsaccountlock"
         access_positive = no
     }

     group {
         membership_attribute = 'memberOf'
         name_attributes = 'cn'
         cacheable_dn = 'yes'
         cacheable_name = 'no'
     }

# mods-available/eap

eap {
   mschapv2 {
     send_error = yes
   }
}

# mods-available/mschap

                 local_cpw = "%{exec:/usr/local/sbin/freeipa-passwd 
'%{mschap:User-Name}' '%{MS-CHAP-New-Cleartext-Password}' 
'%{control:NT-Password}'}"

# policy.d

password_expiry {
   # 
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/modules/mschap.rst
   # http://wiki.freeradius.org/config/run_time_variables
   if (&control:Tmp-String-9 < "%D%H%G00Z") {
     update control {
       &SMB-Account-Ctrl-Text := '[Ue]'
     }
   } else {
     update control {
       &SMB-Account-Ctrl-Text := '[U]'
     }
   }
}

More information about the Freeipa-users mailing list