Linux – Machine account authentication on Radius server

active-directorylinuxradius

My workstation is under Linux. I have an Active Directory domain controller + Radius server on Windows 2008.
I can verify user account 'radius-01' using 'radtest' tool:

    $ radtest -t pap radius-01 password123 195.234.133.32 1812 password123
    Sending Access-Request of id 98 to 195.234.73.2 port 1812
            User-Name = "radius-01"
            User-Password = "password123"
            NAS-IP-Address = 127.0.1.1
            NAS-Port = 1812
    rad_recv: Access-Accept packet from host 195.234.133.32 port 1812, id=98, length=84
            Framed-MTU = 1344
            Framed-Protocol = PPP
            Service-Type = Framed-User
            Class = 0x537004f00000013700010200ac1c0...

I have joined my Linux PC to Active Directory domain ARB-HRK using Samba:

    [root@shev-arb]# net ads testjoin
    Join is OK

I can dump machine password:

    [root@shev-arb]# tdbdump /var/lib/samba/private/secrets.tdb
    {
    key(34) = "SECRETS/MACHINE_PASSWORD/ARB-HRK"
    data(15) = "yGgXJsquRnpT0g\00"
    }

How can i authenticate my machine account on Radius server?

Do anybody know any tools for this, like:

    radtest   shev-arb$ yGgXJsquRnpT0g 195.234.133.32 1812 password123

(this command fails)

Best Answer

In a Windows Domain, Machine Authentication using machine secret is disabled by default for legacy systems that use MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 as authentication method such as the cases with IKEV1 PAP. In such cases you might encounter DPC Authentication fails at the NPS with error 0xc0000199 (NO_LOGON_WORKSTATION_TRUST_ACCOUNT).

To enable machine authentication for a specific computer account. Do the following:

Edit the UserAccountControl attribute such that WORKSTATION_TRUST_ACCOUNT should be removed and NORMAL_ACCOUNT should be added to the value.
If the existing value of the UserAccountControl is x then compute update the value to (x-4096+512) to make machine authentication work.

Follow the instruction given in this KB article: http://support.microsoft.com/kb/305144 or:

Run adsiedit.msc on the domain controller
Expand the tree and Select the Computer Leaf, it will be displayed as CN=Hostname
Right click and select Properties
In the properties window select the userAccountControl attribute. Double click to edit.
update the number by deducting 3584 from the existing value.
Press OK to close the edit and OK to close the properties Dialog.

Revert to normal setting once the testing is complete.

radtest -t mschap  'host/shev-arb.arb-hrk.net' yGgXJsquRnpT0g 195.234.133.32 1812 password123
Sending Access-Request of id 139 to 195.234.133.32 port 1812
...
rad_recv: Access-Accept packet from host 195.234.133.32 port 1812, id=139, length=142
...

Related Solutions

Samba – Extracting the machine account domain password from the registry

It is possible to dump the hashes from a Windows system and import them into Samba. The process is explained here http://ppp.samba.org/samba/ftp/pwdump/README. However do consider the IT department might not be happy with you doing such things and there is no guarante that it will work for what your trying to do.

Samba – Linux authentication via ADS — allowing only specific groups in PAM

Disclaimer: You probably shouldn't try to require_membership_of for root. Is there ever a case where root should not be able to login? You risk not being able to repair this machine without rebooting into single mode if something goes wrong (like its network going down).

I'll answer anyway.

TL;DR: If you want to enforce membership even for local users (root included), replace the first sufficient with a requisite.

require_membership_of is only used in pam_winbind.c in pam_sm_chauthtok (involved in the management group password) and pam_sm_authenticate (involved in the management group auth).

So if a user does not have the membership you require, the PAM step that will fail looks like:

auth [...] pam_winbind.so [...]

You do have one, but it's marked as sufficient:

auth sufficient pam_winbind.so

So if it fails, PAM will keep going through its chain. Next stop:

auth sufficient pam_unix.so nullok try_first_pass

This one will succeed, if getent passwd root returns a valid user, getent shadow root (ran as root) returns a valid encrypted password, and the password entered by the user matches.

I won't walk you through the rest, but nothing else will prevent root from logging in.

I would refer you to pam.d(5) for more information about the general PAM configuration mechanism, pam_unix(8) & co for the various modules.

Best Answer

Related Solutions

Samba – Extracting the machine account domain password from the registry

Samba – Linux authentication via ADS — allowing only specific groups in PAM

Related Topic