One of the useful things about having a directory service is the ability to authenticate users effectively, with the standard for this with networked computers being RADIUS. This can then be used by services like VPNs and wireless 802.1X. So how to set one up?
Joining the domain
First off, start off with a standard system. Then, install the packages we'll need for authenticating versus an Active Directory domain:
In order to hook up RADIUS to Active Directory, the system must be added to the domain. Similar to what a domain controller needs, the Kerberos configuration file must be set up:
default_realm = <domain>
dns_lookup_realm = false
dns_lookup_kdc = true
Then, Samba must be set up:
workgroup = <short domain>
security = ADS
realm = <domain>
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
Followed by the domain join command:
Then, since we need winbind, enable it in the daemon:
daemon_list="smbd nmbd winbindd"
...
At this point, you can then start Samba:
$ rc-update add samba
To check that Samba is working correctly, you can run a quick command to verify that the system is communicating with the domain correctly:
Password:
NT_STATUS_OK: The operation completed successfully. (0x0)
FreeRADIUS
We need to install the FreeRADIUS packages first:
Since Alpine Linux doesn't have a lot of the more advanced protections other Linux distributions have, changing group permissions so that FreeRADIUS can access winbind's files is sufficient:
$ chmod g+S /var/lib/samba/winbindd_privileged
Next up, follow the standard FreeRADIUS documentation to add a client for authentication. Then is server identification. First off is generating the Diffie-Helman files:
$ openssl dhparam -out dh -2 2048
To go with this file, we need an SSL server certificate for the RADIUS server to identify itself. The certificate and private key should be combined as /etc/raddb/certs/server.pem, and the CA root certificate as /etc/raddb/certs/ca.pem.
After this, the Active Directory integration. Edit the two files in /etc/raddb/sites-enabled (default and inner-tunnel), and replace every instance of -eap with eap (removing the hyphen). In addition, remove the additional hyphen in this section of the configuration:
eap {
ok = return
updated = return
}
...
The EAP and MSCHAP modules then need to be adjusted:
eap {
default_eap_type = peap
...
tls-config tls-common {
private_key_file = /etc/raddb/certs/server.pem
certificate_file = /etc/raddb/certs/server.pem
ca_file = /etc/raddb/certs/ca.pem
...
}
mschap {
...
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
...
}
You can then enable FreeRADIUS:
$ rc-update add radiusd
And test it (although you should use a test account, or make sure to remove these lines from your shell history), being aware that your results may vary slightly:
Sent Access-Request Id <number> from 0.0.0.0:<port> to 127.0.0.1:1812 length <number>
...
Received Access-Accept Id <number> from 127.0.0.1:1812 to 127.0.0.1:<port> length <number>
MS-CHAP-MPPE-Keys = <hex string>
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
If you need to debug FreeRADIUS, it often makes more sense just to run it from the command line after shutting down the daemon:
$ radiusd -X
Samba
If you hadn't followed this blog post for setting up your Active Directory domain and you're running Samba, you might need to follow the hint on this page and add this section to your smb.conf on your directory controllers:
...
ntlm auth = mschapv2-and-ntlmv2-only
...