Author Topic: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0, 5.1  (Read 38307 times)

julio

  • Guest
open a terminal window and "copy & paste" the following commands:

changes:
09.14.15 - winbind package added to dependency
                change UID attribute to sAMAccountName in ldap.mas, credits to jbahillo, thx!
10.23.15 - fixed LDAP group filter
11.05.15 - added double quotes to group in user.mas
                fixed patch versions
11.14.15 - startup script changes, fixed ntlm_auth permissions
                re-set the permissions on existing certificates
06.11.16 - extended "LogHelper.pm" parsing function,
                with mac address format: "aabbccddeeff"
06.12.16 - extended "LogHelper.pm" parsing function,
                change mac address format to uppercase format               
03.04.17 - Adapted to 5.0,
                changed service handling to systemd
09.07.17 - Adapted zentyal 5.0 version to use Samba 4.5 NTLMv1 authentication instead of default NTLMv2
09.04.18 - Adapted to 5.1
05.09.18 - Fixed typo in 5.1

zentyal 4.0:
Code: [Select]
sudo apt-get install -y zbuildtools build-essential fakeroot dpkg-dev
cd /tmp
wget 'http://archive.zentyal.org/zentyal/pool/main/z/zentyal-radius/zentyal-radius_3.5.1.tar.gz' -O zentyal-radius_3.5.1.tar.gz
tar -xf zentyal-radius_3.5.1.tar.gz
mv zentyal-radius_3.5.1 zentyal-radius_4.0
wget 'https://drive.google.com/uc?export=download&id=0B4_d-7xL0AS_VER4RkJRU1FQNEk' -O zentyal-radius-4.0.patch
patch -t -p1 -i zentyal-radius-4.0.patch
cd zentyal-radius-4.0
dpkg-buildpackage -rfakeroot -b -tc
cd ..
sudo apt-get install -y ./zentyal-radius_4.0_all.deb
sudo service zentyal webadmin restart

zentyal 4.2:
Code: [Select]
sudo apt-get install -y zbuildtools build-essential fakeroot dpkg-dev
cd /tmp
wget 'http://archive.zentyal.org/zentyal/pool/main/z/zentyal-radius/zentyal-radius_3.5.1.tar.gz' -O zentyal-radius_3.5.1.tar.gz
tar -xf zentyal-radius_3.5.1.tar.gz
mv zentyal-radius_3.5.1 zentyal-radius_4.2
wget 'https://drive.google.com/uc?export=download&id=0B4_d-7xL0AS_MWRMOS10Y2c1S2s' -O zentyal-radius-4.2.patch
patch -t -p1 -i zentyal-radius-4.2.patch
cd zentyal-radius-4.2
dpkg-buildpackage -rfakeroot -b -tc
cd ..
sudo apt-get install -y ./zentyal-radius_4.2_all.deb
sudo service zentyal webadmin restart

zentyal 5.0:
Code: [Select]
sudo apt install -y zbuildtools build-essential fakeroot dpkg-dev
cd /tmp
wget 'http://archive.zentyal.org/zentyal/pool/main/z/zentyal-radius/zentyal-radius_3.5.1.tar.gz' -O zentyal-radius_3.5.1.tar.gz
tar -xf zentyal-radius_3.5.1.tar.gz
mv zentyal-radius_3.5.1 zentyal-radius_5.0
wget 'https://drive.google.com/uc?export=download&id=0B4_d-7xL0AS_djZpaXNIUHFNOWs' -O zentyal-radius-5.0.patch
patch -t -p1 -i zentyal-radius-5.0.patch
cd zentyal-radius-5.0
dpkg-buildpackage -rfakeroot -b -tc
cd ..
sudo apt install -y ./zentyal-radius_5.0_all.deb
sudo zs webadmin restart
sudo mkdir -p /etc/zentyal/stubs/samba
sudo cp /usr/share/zentyal/stubs/samba/smb.conf.mas /etc/zentyal/stubs/samba/smb.conf.mas
sudo sed -i '/\[global\]/a lanman auth = yes\nntlm auth = yes' /etc/zentyal/stubs/samba/smb.conf.mas
sudo zs samba restart

zentyal 5.1:
Code: [Select]
sudo apt install -y zbuildtools build-essential fakeroot dpkg-dev
cd /tmp
wget 'http://archive.zentyal.org/zentyal/pool/main/z/zentyal-radius/zentyal-radius_3.5.1.tar.gz' -O zentyal-radius_3.5.1.tar.gz
tar -xf zentyal-radius_3.5.1.tar.gz
mv zentyal-radius_3.5.1 zentyal-radius_5.1
wget 'https://drive.google.com/uc?export=download&id=1K99PAIAHl1j4bnBxcTMyXgKpJEpTQflB' -O zentyal-radius-5.1.patch
patch -t -p1 -i zentyal-radius-5.1.patch
cd zentyal-radius-5.1
dpkg-buildpackage -rfakeroot -b -tc
cd ..
sudo apt install -y ./zentyal-radius_5.1_all.deb
sudo zs webadmin restart
sudo mkdir -p /etc/zentyal/stubs/samba
sudo cp /usr/share/zentyal/stubs/samba/smb.conf.mas /etc/zentyal/stubs/samba/smb.conf.mas
sudo sed -i '/\[global\]/a lanman auth = yes\nntlm auth = yes' /etc/zentyal/stubs/samba/smb.conf.mas
sudo zs samba restart
« Last Edit: September 05, 2018, 10:23:17 pm by julio »

Mittelerde

  • Zen Warrior
  • ***
  • Posts: 153
  • Karma: +8/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.1
« Reply #1 on: July 02, 2015, 12:48:55 pm »
Thanks for sharing  :)

bino

  • Zen Apprentice
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile

antsu

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.1
« Reply #3 on: October 22, 2015, 04:18:38 pm »
julio, thanks for going through the trouble of making and sharing this.
I've followed your instructions and successfully built the RADIUS module. Authentication works perfectly from radtest (with mschap) and from a Mikrotik router (for L2TP authentication).
There's just one detail that is not working as expected: No matter what group I choose at Zentyal's web interface, the RADIUS server will authenticate ANY valid user, regardless of the user being part of the specified group or not. As long as it's a valid domain account, it'll reply with an "Accept-Accept".
I've checked that the group is correcly being set inside /etc/freeradius/users:
Code: [Select]
DEFAULT LDAP-Group == <group name>
and also tried to manually edit it, using the full DN, but it makes no difference:
Code: [Select]
DEFAULT LDAP-Group == "CN=group,OU=foo,DC=bar,DC=com"
I don't have any experience with Freeradius, so I'm a bit lost about what can be causing this.
Running Zentyal 4.1 x86 (old server), if it makes any difference.
Any help is very much appreciated.

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.1
« Reply #4 on: October 23, 2015, 11:55:11 pm »
julio, thanks for going through the trouble of making and sharing this.
I've followed your instructions and successfully built the RADIUS module. Authentication works perfectly from radtest (with mschap) and from a Mikrotik router (for L2TP authentication).
There's just one detail that is not working as expected: No matter what group I choose at Zentyal's web interface, the RADIUS server will authenticate ANY valid user, regardless of the user being part of the specified group or not. As long as it's a valid domain account, it'll reply with an "Accept-Accept".
I've checked that the group is correcly being set inside /etc/freeradius/users:
Code: [Select]
DEFAULT LDAP-Group == <group name>
and also tried to manually edit it, using the full DN, but it makes no difference:
Code: [Select]
DEFAULT LDAP-Group == "CN=group,OU=foo,DC=bar,DC=com"
I don't have any experience with Freeradius, so I'm a bit lost about what can be causing this.
Running Zentyal 4.1 x86 (old server), if it makes any difference.
Any help is very much appreciated.

Bug is fixed, please try one more time...

Dersch

  • Zen Monk
  • **
  • Posts: 87
  • Karma: +1/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.1
« Reply #5 on: October 30, 2015, 10:23:56 pm »
Also so many thanks from my side. Today some problems started with the login of my Admin Account. All time long it was fine but now got LogIn Incorrect. Now it is working again :)

BTW: Does it work with 4.2 as well?
« Last Edit: October 30, 2015, 10:43:43 pm by Dersch »

antsu

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.1
« Reply #6 on: November 05, 2015, 08:40:43 pm »
Bug is fixed, please try one more time...

Thank you very much.

I was able to compile the module and the group filter indeed is working as expected.
There are only two things I noticed that need fixing/improving (but can be "worked-around"):

  • The diff files in your instructions are referencing the folder "zentyal-radius-4.0" instead of "zentyal-radius-4.1", causing errors when patching. Editing the files and replacing all the occurrences with the "4.1" path solves the problem.
  • After installed, if the selected group has spaces in its name, the Freeradius service is unable to start, logging errors when trying to parse "/etc/freeradius/users". Editing the file and enclosing the group's name in double quotes solves the problem, but gets undone since Zentyal rewrites the config files. A workaround (which I had to use) is to rename the group, removing all blank spaces, and then let Zentyal save its configurations again.

Again, thanks!

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.1
« Reply #7 on: November 05, 2015, 10:40:43 pm »
Bug is fixed, please try one more time...

Thank you very much.

I was able to compile the module and the group filter indeed is working as expected.
There are only two things I noticed that need fixing/improving (but can be "worked-around"):

  • The diff files in your instructions are referencing the folder "zentyal-radius-4.0" instead of "zentyal-radius-4.1", causing errors when patching. Editing the files and replacing all the occurrences with the "4.1" path solves the problem.
  • After installed, if the selected group has spaces in its name, the Freeradius service is unable to start, logging errors when trying to parse "/etc/freeradius/users". Editing the file and enclosing the group's name in double quotes solves the problem, but gets undone since Zentyal rewrites the config files. A workaround (which I had to use) is to rename the group, removing all blank spaces, and then let Zentyal save its configurations again.

Again, thanks!

i've changed/fixed, please test it...

vahabudeen

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #8 on: November 06, 2015, 07:25:28 am »
Please help me to resole this .

root@zentyal4:/home/amagi/Downloads# sudo dpkg -i zentyal-radius_4.1_all.deb
Selecting previously unselected package zentyal-radius.
(Reading database ... 59970 files and directories currently installed.)
Preparing to unpack zentyal-radius_4.1_all.deb ...
Unpacking zentyal-radius (4.1) ...
dpkg: dependency problems prevent configuration of zentyal-radius:
 zentyal-radius depends on winbind; however:
  Package winbind is not installed.
 zentyal-radius depends on freeradius; however:
  Package freeradius is not installed.
 zentyal-radius depends on freeradius-ldap; however:
  Package freeradius-ldap is not installed.

dpkg: error processing package zentyal-radius (--install):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 zentyal-radius


root@zentyal4:/home/amagi/Downloads# dpkg -i zentyal-radius_4.1_all.deb
(Reading database ... 59998 files and directories currently installed.)
Preparing to unpack zentyal-radius_4.1_all.deb ...
Unpacking zentyal-radius (4.1) over (4.1) ...
dpkg: dependency problems prevent configuration of zentyal-radius:
 zentyal-radius depends on winbind; however:
  Package winbind is not installed.
 zentyal-radius depends on freeradius; however:
  Package freeradius is not installed.
 zentyal-radius depends on freeradius-ldap; however:
  Package freeradius-ldap is not installed.

dpkg: error processing package zentyal-radius (--install):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 zentyal-radius
root@zentyal4:/home/amagi/Downloads#

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #9 on: November 06, 2015, 07:55:19 am »
please run the following command:
Code: [Select]
sudo apt-get install -f -y

vahabudeen

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #10 on: November 06, 2015, 08:00:32 am »
Then should i run this command?

sudo dpkg -i zentyal-radius_4.1_all.deb

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #11 on: November 06, 2015, 08:03:11 am »
not, only the:
sudo apt-get install -f -y

(plese check the instructions)

antsu

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.1
« Reply #12 on: November 06, 2015, 01:54:59 pm »
i've changed/fixed, please test it...

Tested for 4.1 x86. Working flawlessly!
Thank you.

Dersch

  • Zen Monk
  • **
  • Posts: 87
  • Karma: +1/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #13 on: November 13, 2015, 10:04:51 am »
hi, i have problems to install the radius module with 4.2

Code: [Select]

dirk@superserver:~/Downloads$ sudo dpkg -i zentyal-radius_4.2_all.deb
(Lese Datenbank ... 621495 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von zentyal-radius_4.2_all.deb ...
Entpacken von zentyal-radius (4.2) über (4.2) ...
dpkg: Abhängigkeitsprobleme verhindern Konfiguration von zentyal-radius:
 zentyal-radius hängt ab von freeradius-ldap; aber:
  Paket freeradius-ldap ist noch nicht konfiguriert.

dpkg: Fehler beim Bearbeiten des Paketes zentyal-radius (--install):
 Abhängigkeitsprobleme - verbleibt unkonfiguriert
Fehler traten auf beim Bearbeiten von:
 zentyal-radius
dirk@superserver:~/Downloads$

dirk@superserver:~/Downloads$ sudo apt-get install -f -y
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Das folgende Paket wurde automatisch installiert und wird nicht mehr benötigt:
  linux-image-extra-3.13.0-66-generic
Verwenden Sie »apt-get autoremove«, um es zu entfernen.
0 aktualisiert, 0 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
2 nicht vollständig installiert oder entfernt.
Nach dieser Operation werden 0 B Plattenplatz zusätzlich benutzt.
freeradius-ldap (2.1.12+dfsg-1.2ubuntu8.1) wird eingerichtet ...
reload: Unknown instance:
invoke-rc.d: initscript freeradius, action "force-reload" failed.
dpkg: Fehler beim Bearbeiten des Paketes freeradius-ldap (--configure):
 Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück
dpkg: Abhängigkeitsprobleme verhindern Konfiguration von zentyal-radius:
 zentyal-radius hängt ab von freeradius-ldap; aber:
  Paket freeradius-ldap ist noch nicht konfiguriert.

dpkg: Fehler beim Bearbeiten des Paketes zentyal-radius (--configure):
 Abhängigkeitsprobleme - verbleibt unkonfiguriert
Es wurde kein Apport-Bericht verfasst, da die Fehlermeldung darauf hindeutet, dass dies lediglich ein Folgefehler eines vorherigen Problems ist.
                                             E: Sub-process /usr/bin/dpkg returned an error code (1)

dirk@superserver:~/Downloads$ sudo dpkg --configure -a
freeradius-ldap (2.1.12+dfsg-1.2ubuntu8.1) wird eingerichtet ...
reload: Unknown instance:
invoke-rc.d: initscript freeradius, action "force-reload" failed.
dpkg: Fehler beim Bearbeiten des Paketes freeradius-ldap (--configure):
 Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück
dpkg: Abhängigkeitsprobleme verhindern Konfiguration von zentyal-radius:
 zentyal-radius hängt ab von freeradius-ldap; aber:
  Paket freeradius-ldap ist noch nicht konfiguriert.

dpkg: Fehler beim Bearbeiten des Paketes zentyal-radius (--configure):
 Abhängigkeitsprobleme - verbleibt unkonfiguriert
Fehler traten auf beim Bearbeiten von:
 freeradius-ldap
 zentyal-radius


Is there some fix?

I found that:

Code: [Select]
zentyal-install-module /home/dirk/Downloads/zentyal-radius-4.2/debian/zentyal-radius/

cp: der Aufruf von stat für »schemas/*.ldif“ ist nicht möglich: Datei oder Verzeichnis nicht gefunden

« Last Edit: November 13, 2015, 11:09:34 am by Dersch »

Dersch

  • Zen Monk
  • **
  • Posts: 87
  • Karma: +1/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #14 on: November 13, 2015, 04:36:21 pm »
Julio, please help me  :-\ i need radius for my wlan access and it does not work as it should at the moment. I assume it is just a small bug in the installation :)

It worked like a charm with 4.1 and today i upgraded to 4.2.1 after i saw that i can install the radius module.