Comment 7 for bug 623342

Stefano Rivera (stefanor) wrote :

SRU Test Case [ Provided by Craig Balfour]:

Install Software
----------------
apt-get install samba winbind krb5-user freeradius

Configure Kerberos
------------------

Edit /etc/krb5.conf:
[realms]

EXAMPLE.CO.ZA = {
        kdc = server1.example.co.za
        kdc = server2.example.co.za
        admin_server = server1.example.co.za
}

[domain_realm]
        .example.co.za = EXAMPLE.CO.ZA
        example.co.za = EXAMPLE.CO.ZA

Configure Samba
---------------

Edit /etc/samba/smb.conf:

workgroup = EXAMPLE
security = ads
realm = EXAMPLE.CO.ZA

Join Samba to Active Directory Domain
-------------------------------------

net join -U Administrator

service winbind restart
service smbd restart

Configure freeradius
--------------------

Edit /etc/freeradius/modules/mschap:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-EXAMPLE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

addgroup freerad winbindd_priv

service freeradius restart

Install and Configure rad_eap_test
----------------------------------
apt-get install libssl-dev

Download http://hostap.epitest.fi/releases/wpa_supplicant-0.7.3.tar.gz
tar zxvof wpa_supplicant-0.7.3.tar.gz
cd wpa_supplicant-0.7.3/wpa_supplicant

Create .config:
CONFIG_IEEE8021X_EAPOL=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_TLS=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_TTLS=y
CONFIG_EAP_LEAP=y
CONFIG_IEEE8021X=y

make eapol_test

Download http://wiki.eduroam.cz/rad_eap_test/rad_eap_test-0.23.tar.bz2
tar jxvof rad_eap_test-0.23.tar.bz2
cd rad_eap_test-0.23
cp ../wpa_supplicant-0.7.3/wpa_supplicant/eapol_test bin/

./rad_eap_test -H localhost -P 1812 -S testing123 -u fred -p password -m WPA-EAP -e PEAP

With faulty version of Samba test returns:
access-reject; 1
With fixed version of Samba, test returns:
access-accept; 0

References:

1. http://deployingradius.com/documents/configuration/active_directory.html
2. http://marcel.bl2000.org/?p=242