Authenticating Freeradius against Active Directory: Difference between revisions

From SambaWiki
Line 9: Line 9:
* Freeradius 3.0.14 and samba 4.7.x
* Freeradius 3.0.14 and samba 4.7.x

* Debian Buster, Samba 4.10.7, Freeradius 3.0.19
* Debian Buster, Samba 4.10.7, Freeradius 3.0.17/3.0.19

= Configuration =
= Configuration =

Revision as of 15:05, 2 September 2019


This has been tested on:

  • Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7
  • Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from centos repo.
  • Freeradius 3.0.14 and samba 4.7.x
  • Debian Buster, Samba 4.10.7, Freeradius 3.0.17/3.0.19


On the Samba 4.2.x and up, on the freeradius server and on all the Samba AD-DC's:

Add to the [global] section:

ntlm auth = mschapv2-and-ntlmv2-only

Ensure the server is added to AD with net ads join.

You need to configure Freeradius to use mschapv2 with ntlmv1 disabled globally by setting this in /mods-available/mschap:

mschap {


ntlm_auth = "/path/to/ntlm_auth --allow-mschapv2 --request-nt-key 
--username=%{mschap:User-Name} --domain=WINDOWSDOMAIN 

OR (if your Freeradius supports it)

winbind_username = "%{%{mschap:User-Name}:-00}"
winbind_domain = "WINDOWSDOMAIN"

The former should work without modification to freeradius, the latter requires freeradius to be built with winbind auth. For example: on Centos you will have to rebuild the rpm and add the winbind libraries to the ./configure path.

This is all that is required to change from the "standard", well documented freeradius/AD integration for the integration.

If there are going to be password changes with freeradius ("your password has expired" - type - scenarios) You should probably also configure in /mods-available/mschap:

passchange {
ntlm_auth = "/path/to/ntlm_auth 
--helper-protocol=ntlm-change-password-1 --allow-mschapv2
ntlm_auth_username = "username: %{mschap:User-Name}
ntlm_auth_domain = "nt-domain: WINDOWSDOMAIN"

With the settings above it works correctly, so even if it is unnecessary, it doesn't break anything. It hasn't been tested without this option while denying ntlmv1 overall on the AD DC, but it is thought that it will work without it.


If everything works as intended, you should see in the AD DC audit log something like this:

{"timestamp": "some-date0", "type": "Authentication", "Authentication": 
{"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", 
"localAddress": "", "remoteAddress": 
"", "serviceDescription": "SamLogon", 
"authDescription": "network", "clientDomain": "WINDOWSDOMAIN", 
"clientAccount": "some-user", "workstation": "\\\\SOME-HOST", 
"becameAccount": "some-user", "becameDomain": "WINDOWSDOMAIN", 
"becameSid": "SOME-SID", "mappedAccount": "some-user", "mappedDomain": 
"WINDOWSDOMAIN", "netlogonComputer": "SOME-HOST", 
"netlogonTrustAccount": "SOME-HOST$", "netlogonNegotiateFlags": 
"0x610FFFFF", "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": 
"somesid, *"passwordType": "MSCHAPv2"*}}

Without the "--allow-mschapv2" setting, you would see "passwordType":"NTLMv1".

The information for this wiki page was supplied by Kacper Wirski