In our organization, we have an Active Directory domain, and a CentOS IdM subdomain at a remote site that has a two-way trust relationship with the master ID domain. Since this remote site is using a less-than-reliable internet connection, it was built this way so that we can ensure, with use of cached credentials, that authentication will be speedy to the end users. Furthermore, if and when the connection goes down, end users will experience no loss of functionality until the cached credentials expire.
The IPA master is running CentOS Stream 9, and the trust relationship has been configured as follows: yum install ipa-server-trust-ad ipa-adtrust-install --netbios-name=CENTOSIDM --admin-name=admin --add-sids --add-agents --enable-compat ipa trust-add AD.MASTER --type=ad --admin=Administrator --server=pdc.ad.master --range-type=ipa-ad-trust-posix --all --raw --two-way=true There are file servers at this remote site that are using Samba. Users are able to authenticate to the Samba servers with either AD or IPA credentials. On the client side, this is accomplished using first ipa-client-install, followed by ipa-client-samba. The one requirement that has yet to be satisfied here is VPN access for those users at the remote site. In my read of the FreeRADIUS documentation, PEAP-MSCHAP-v2 authentication will only work if you either use the ntlm_auth binary, or have a version of FreeRADIUS that was built with support for direct linking to the winbind libraries. Since these machines are all either IPA masters or IPA clients, I have not messed with the Samba configs much. Everything is running Samba 4.14, which mandates the use of winbind, but they are all using sss as a backend for idmap. This works well enough for file sharing, but FreeRADIUS just will not have it. I should confess - I'm not too familiar with the eccentricities of winbind. In this instance, I'm just not sure how to configure it ( or not ) in such a way as to get FreeRADIUS to successfully authenticate a user from a trusted domain, with ntlm_auth. It also seems, from reading the FreeRADIUS documentation, that SSSD is just not supported as a backend, or at least, not directly. I was able to get both krb5 and pam to work, but these require passwords to be sent in clear text. I need some way to deal with MSCHAP-v2 authentication. It had occurred to me that I could find an older source RPM for sssd-libwinbind and sssd-libwinbind-devel, compile those, and then build a version of FreeRADIUS from source that is linked against those libraries. However, since sssd-libwinbind was removed from the sssd GitHub project, and support has been removed from RHEL8 at this point, I was a little worried about going forward with this. Any ideas? _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
