On 22/12/2016 12:48, Simo Sorce wrote:
Sorry Brian but we do not support SASL NTLM or SASL SPNEGO/NTLM at this
time, to do that you not only need the mechanism but also a way for that
mechanism to either contact a NT-like Domain Controller or have direct
access to the NT password hashes for any user you want to authenticate,
and none of that is set up by default.
I installed ipa-server-trust-ad, and FreeIPA is storing the ipaNTHash attribute. The RADIUS server uses a privileged principal which has permissions to read out this attribute, and then it uses that to authenticate users.

All works nicely - even password changing for expired passwords over MSCHAPv2. However the password-change script currently needs a privileged FreeIPA principal (permitted to change anyone's password), which also needs to be in passSyncManagersDNs so that the changed passwords aren't immediately expired. And unfortunately that means it also bypasses FreeIPA's password complexity tests, so I have to implement those externally.

Some FreeRADIUS config snippets below, in case anyone's interested.

We are planning to enable the integrated Samba server (which is used for
trusts only at the moment) to provide NTLM services for radius servers,
but it is not ready yet, although you may try to experiment with it.

I could give it a try, although if it's not in 4.4.0 I'd have to set up a separate testbed for it. If the new code includes NTLM password changing that would certainly simplify things a lot.



# mods-available/ldap

    update {
        control:NT-Password        := 'ipaNTHash'
        control:Tmp-String-9        := 'krbPasswordExpiration'

    user {
        base_dn = "${..base_dn}"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        scope = "one"
# https://www.redhat.com/archives/freeipa-users/2011-June/msg00078.html
        access_attribute = "nsaccountlock"
        access_positive = no

    group {
        membership_attribute = 'memberOf'
        name_attributes = 'cn'
        cacheable_dn = 'yes'
        cacheable_name = 'no'

# mods-available/eap

eap {
  mschapv2 {
    send_error = yes

# mods-available/mschap

local_cpw = "%{exec:/usr/local/sbin/freeipa-passwd '%{mschap:User-Name}' '%{MS-CHAP-New-Cleartext-Password}' '%{control:NT-Password}'}"

# policy.d

password_expiry {
# https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/modules/mschap.rst
  # http://wiki.freeradius.org/config/run_time_variables
  if (&control:Tmp-String-9 < "%D%H%G00Z") {
    update control {
      &SMB-Account-Ctrl-Text := '[Ue]'
  } else {
    update control {
      &SMB-Account-Ctrl-Text := '[U]'

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to