www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Authenticating with Active Directory (Kerberos 5)

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
Robert



Joined: 31 Aug 2007
Posts: 3

PostPosted: Tue Sep 04, 2007 2:34 pm    Post subject: Authenticating with Active Directory (Kerberos 5) Reply with quote

Hi

Ripping my hair out here.

Has anyone managed to get Zeroshell to authenticate with their Active Directory domain, that could give me some pointers. We have hundreds of users and I want them to be able to use their AD account to let them through the zeroshell portal.

I have set up the trust between Zeroshell and the AD Domain, that seems to be fine.

Im not quite sure of the next bit - the Kerberos Priciple - do I create a new account in AD that matches one from the Zeroshell Realm ?

ANy help would be really appreciated.
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1069

PostPosted: Sun Sep 09, 2007 6:24 am    Post subject: Reply with quote

The easier way to get work the Captive Portal authenticating the users of a Microsoft Active Directory domain is to add the domain as "External Kerberos 5 Realm".
In this manner, you have not to add the shared Kerberos keys to establish the trust relationship.
In any case, either you configure an "External Kerberos 5 Realm" or a "Trusted Kerberos 5 Realm", you don't need to create the user principals in the Zeroshell's Kerberos KDC.

Don't forget that Zeroshell must be able to locate the Active Directory Kerberos 5 KDC. In order to make this possible, you just have to add, in the section [Kerberos 5]->[Realms], the Active Directory realm and the IP or FQDN hostname of at least one of the Active Directory domain controller (any domain controller runs a Kerberos KDC). This step is not needed if the DNS is correctly configured and you have set the option "Use the DNS to discovery Realms and KDC servers not " to yes in the [Kerberos 5]->[Realms] section. In this case, Zeroshell uses the SRV service locator resource, automatically configured in the Active Directory's DNS, to get the KDC's IP address.

Best Regards
Fulvio Ricciardi
Back to top
View user's profile Send private message Send e-mail
Robert



Joined: 31 Aug 2007
Posts: 3

PostPosted: Wed Sep 12, 2007 9:00 am    Post subject: Reply with quote

Thanks for your Help Fulvio

I got it working. I was actually setting it up right with regards Kerberos, but has a couple of network issues.

Resolved now and working great.

Thanks for this software !
Back to top
View user's profile Send private message
zabulus



Joined: 06 Oct 2007
Posts: 4

PostPosted: Sat Oct 06, 2007 12:47 am    Post subject: Reply with quote

Hi,
How to add "External Kerberos 5 Realm" from the Zeroshell administration page because by default zeroshell add local authentication.
thanks in advanced.
zabulus
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1069

PostPosted: Sat Oct 06, 2007 10:43 am    Post subject: Reply with quote

From the section [Captive Portal]->[Authentication], you should click on the button [+] in the Authorized Domains frame. In the form that appears, type the domain name and select the flag "External Kerberos 5 Realm". Don't forget to configure the realm in the section [Kerberos 5]->[Realms] or if you prefer enable the DNS discovery of the Kerberos V realms.

Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
zabulus



Joined: 06 Oct 2007
Posts: 4

PostPosted: Mon Oct 08, 2007 7:16 pm    Post subject: Reply with quote

ok, "solved" the problem.

Works perfectly thank you!
Back to top
View user's profile Send private message
tcorley



Joined: 20 Oct 2007
Posts: 1

PostPosted: Sat Oct 20, 2007 9:39 am    Post subject: Reply with quote

Not sure I have much to add here. I administer an AD2000 network and wanted to get the zeroshell to autheticate from Keberos. I created slave zones of the forward and reverse parts of the AD dns servers on the local dns server, and then set the keberos domain. It works rather well, except that it gives everyone with an account on the AD access to the wireless lan, something which at times I don't want.

If you have active directeroy, then each server is also a Radius server. With version beta6 you can create a proxy radius server entry under Radius and then use it as a database against which to autheticate your users. The advantage in AD2000 is that you can restrict those with access to your wireless lan by membership of a user group.

My only problem is that users had been told to login using the username@example.com form of their username, which works fine with Keberos, but not with radius, which prefers username. I switched back to Keberos because a lot of our users were not getting thru using radius. Just a matter of user education...

I have to say that ZeroShell is a wonderful piece of software, that does what NoCat does in a far more effective way. Support for mac address bypass, and opening preauth ports for those wanting to use our proxy servers has made a major difference, and the takeup on our WLAN has been much better this year. It also supports No-Nat routing, which is quite important for network access, as well as auditing Internet usage.
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1069

PostPosted: Sun Oct 21, 2007 7:00 am    Post subject: Reply with quote

Quote:

My only problem is that users had been told to login using the username@example.com form of their username, which works fine with Kerberos, but not with radius, which prefers username. I switched back to Kerberos because a lot of our users were not getting thru using radius. Just a matter of user education...


You can solve in this manner:

1) When you add the proxy RADIUS domain you should disable the No Strip flag. In this modality the FreeRadius configured in Zeroshell, automatically strips the @domain from the username and sends the request to the IAS of Active Directory.

2)If you want that the form of the username without @domain also works you have to set your RADIUS domain as Default domain (select it and Press the [D] button).

Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
asylum



Joined: 13 Apr 2011
Posts: 3

PostPosted: Wed Apr 13, 2011 7:41 am    Post subject: Reply with quote

Hi fulvio,

i'd tried ZeroShell and play with it for almost 3 months now, my setting was 2 NIC and bridged, behind router, (my intention using Zeroshell was just for wifi clients), and i'm new in this forum Smile

my question is, i want all clients to be authenticated through AD before they can use internet, so i've been read through this post and tried to follow...but i couldn't make it work, i was stuck at Kerberos 5 External.

Could you give me any solution for this?...

also one more thing, how could i split wifi client for not being access my local resources?.

Any help would be much appreciated.

Thank you.
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1069

PostPosted: Wed Apr 13, 2011 7:44 pm    Post subject: Reply with quote

Every Microsoft Active Directory domain controller acts as KDC Kerberos 5 for users and services authentication. Therefore you just have to:

1) Configure Zeroshell to contact al least a domain controller for the authentication by adding the realm kerberos 5 (it's the same of the AD domain) and the IP of the server in the section [Kerberos 5][Realms]

2) Add in the [Captive Portal][Authentication] the AD Domain as [Authorized Domains] using external Kerberos 5 KDC

Notice that the first step is useless if you use DNS KDC auto discovery.
Also this is easy to get because every domain controller is an authoritative DNS for the AD domain. Hence you just have to add at least a domain controller as DNS Forwarder of Zeroshell (section [DNS][Forwarders]. In the section [Kerberos 5][Realm] put to yes the "Use the DNS to discovery Realms and KDC servers not configured ".

Regards
Fulvio Ricciardi
Back to top
View user's profile Send private message Send e-mail
asylum



Joined: 13 Apr 2011
Posts: 3

PostPosted: Wed Apr 13, 2011 11:12 pm    Post subject: Reply with quote

Hi Fulvio,

Thanks for your response,
i did tried what you'd told, but i don't know why is still not "talking" to AD, what i did:
- Kerberos 5 -> realms -> my domain realm(mydomain.com.au) + KDC my domain IP address.
- Captive Portal -> Authentication -> Authorized Domain -> MyDomain.com.au

Those setting doesn't work, and i even tried to put MyDomain.com.au IP Address in DNS as master zone and forwarder(not sure i did right for this section).

i did tried to check using DNS Lookup and it does found the server.

Thank you.
Back to top
View user's profile Send private message
piyushagrawal



Joined: 06 Mar 2012
Posts: 1

PostPosted: Tue Mar 06, 2012 12:04 pm    Post subject: hi Reply with quote

The two types of authentication are Mutual Authentication and NTLM. Mutual Authentication requires both the server and the client to identify them. NTLM only requires the client to be validated by the server.

Two types of authentication are Mutual Authentication and NTLM Authentication.
[b]
Mutual Authentication
[/b]
Mutual Authentication is a security feature in which a client process must prove its identity to a server, and the server must prove its identity to the client, before any application traffic is sent over the client-to-server connection. Identity can be proved through a trusted third party and use shared secrets, as in Kerberos v5, or through cryptographic means, as with a public key infrastructure.

[b]TLM[/b]

NTLM authentication supports three methods of challenge/response authentication:

LAN Manager (LM)
This is the least secure form of challenge/response authentication. It is available so that computers running Windows 2000 or later can connect in share level security mode to file shares on computers running Microsoft Windows for Workgroups, Windows 95, or Windows 98.
NTLM version 1
This is more secure than LM challenge/response authentication. It is available so that clients running Windows 2000 or later can connect to servers in a Windows NT domain that has at least one domain controller that is running Windows NT 4.0 Service Pack 3 or earlier.
NTLM version 2
This is the most secure form of challenge/response authentication. It is used when clients running Windows 2000 or later connect to servers in a Windows NT domain where all domain controllers have been upgraded to Windows NT 4.0 Service Pack 4 or later. It is also used when clients running Windows 2000 or later connect to servers running Windows NT in a Active Directory domain.
Back to top
View user's profile Send private message
jwonnacott



Joined: 11 Aug 2011
Posts: 4

PostPosted: Thu Jul 04, 2013 6:20 am    Post subject: Reply with quote

I'm probably being a bit thick here but I already have my realm in the list of realms as I added it when creating the profile, however it has the KDC as local and I cannot alter this, neither can I remove the realm.
Back to top
View user's profile Send private message
amirzargaran



Joined: 30 Dec 2013
Posts: 3

PostPosted: Thu Nov 06, 2014 8:48 am    Post subject: Reply with quote

Dear Fulvio
I set this feature in my server and work very nice but when the clients authenticated with kerberos 5 realm , the redirection to the target dos not work.
in the popup windows i can see the user authenticated and connected but the client have not the connection to the network and internet.
are there any problem in setting?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group