On Sun, Dec 5, 2021 at 1:29 AM Ned Wilson <[email protected]> wrote: > In our organization, we have an Active Directory domain, and a CentOS IdM > subdomain at a remote site that has a two-way trust relationship with the > master ID domain. Since this remote site is using a less-than-reliable > internet connection, it was built this way so that we can ensure, with use > of cached credentials, that authentication will be speedy to the end users. > Furthermore, if and when the connection goes down, end users will > experience no loss of functionality until the cached credentials expire. > > The IPA master is running CentOS Stream 9, and the trust relationship has > been configured as follows: > yum install ipa-server-trust-ad > ipa-adtrust-install --netbios-name=CENTOSIDM --admin-name=admin --add-sids > --add-agents --enable-compat > ipa trust-add AD.MASTER --type=ad --admin=Administrator > --server=pdc.ad.master --range-type=ipa-ad-trust-posix --all --raw > --two-way=true > > There are file servers at this remote site that are using Samba. Users are > able to authenticate to the Samba servers with either AD or IPA > credentials. On the client side, this is accomplished using first > ipa-client-install, followed by ipa-client-samba. > > The one requirement that has yet to be satisfied here is VPN access for > those users at the remote site. In my read of the FreeRADIUS documentation, > PEAP-MSCHAP-v2 authentication will only work if you either use the > ntlm_auth binary, or have a version of FreeRADIUS that was built with > support for direct linking to the winbind libraries. > > Since these machines are all either IPA masters or IPA clients, I have not > messed with the Samba configs much. Everything is running Samba 4.14, which > mandates the use of winbind, but they are all using sss as a backend for > idmap. This works well enough for file sharing, but FreeRADIUS just will > not have it. > > I should confess - I'm not too familiar with the eccentricities of > winbind. In this instance, I'm just not sure how to configure it ( or not ) > in such a way as to get FreeRADIUS to successfully authenticate a user from > a trusted domain, with ntlm_auth. > > It also seems, from reading the FreeRADIUS documentation, that SSSD is > just not supported as a backend, or at least, not directly. I was able to > get both krb5 and pam to work, but these require passwords to be sent in > clear text. I need some way to deal with MSCHAP-v2 authentication. > > It had occurred to me that I could find an older source RPM for > sssd-libwinbind and sssd-libwinbind-devel, compile those, and then build a > version of FreeRADIUS from source that is linked against those libraries. > However, since sssd-libwinbind was removed from the sssd GitHub project, > and support has been removed from RHEL8 at this point, I was a little > worried about going forward with this. >
Hi, sssd-libwbclient was an "alternative" for winbinbd. It's not compatible with modern versions of Samba. Or do you mean to keep smbd running with winbinbd and to use sssd-libwbclient only for FreeRADIUS? I'm not sure if the API is still compatible and if sssd-libwbclient implements everything required by FreeRADIUS.
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
