nazunalika · May 22, 2023 07:47
diff --git a/gistfile1.txt b/gistfile1.txt
 # Create the service
 ipa service-add 'radius/radiusserver.example.com'
 ipa service-add-host --hosts=radiusserver.example.com radius/radiusserver.example.com

 # You need the role and permissions
 ipa role-add "samba/radius auth"
 ipa privilege-add "NTLM Password Hash Access"
 ipa permission-add "Read Samba NTLM RC4 Password Hash attribute" --attrs=ipaNTHash --attrs=sambaNTPassword --attrs=sambaPwdLastSet --attrs=sambaSID --attrs=sambaAcctFlags --attrs=sambaDomainName --type=user --right=read --right=compare
 ipa privilege-add-permission "NTLM Password Hash Access" --permissions="Read Samba NTLM RC4 Password Hash attribute"

 # Add the role
 ipa role-add-member "samba/radius auth" --services="radius/radiusserver.example.com"

 # The radius server needs the keytab
 ipa-getkeytab -p 'radius/radiusserver.example.com' -s ipaserver.example.com -k /etc/raddb/radius.keytab
 chown root:radiusd /etc/raddb/radius.keytab
 chmod 640 /etc/raddb/radius.keytab

 # Radius needs to use the keytab.
 mkdir -p /etc/systemd/system/radiusd.service.d
 cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
 [Service]
 Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
 ExecStartPre=-/usr/bin/kdestroy -A
 ExecStopPost=-/usr/bin/kdestroy -A
 EOF
 systemctl daemon-reload

 # Service needs a password
 ldapmodify -x -D 'cn=Directory Manager' -W
 Enter password:
 dn: krbprincipalname=radius/[email protected],cn=services,cn=accounts,dc=example,dc=com
 changetype: modify
 add: objectClass
 objectClass: simpleSecurityObject
 -
 add: userPassword
 userPassword: PutAPasswordHere

 # In radius, the configuration could look like this... (ignoring TLS certificate stuff, this is up to the user's requirements and settings)

 ldap {
  server = 'ipaserver.example.com'
  identity = 'krbprincipalname=radius/[email protected],cn=services,cn=accounts,dc=example,dc=com'
  password = PutAPasswordHere
  base_dn = 'dc=example,dc=com'
 }
 update {
  control:Password-With-Header    += 'userPassword'
  control:NT-Password                   := 'ipaNTHash'
 }

 user {
  base_dn = "cn=users,cn=accounts,${..base_dn}"
  filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
 }

 group {
  base_dn = "cn=groups,cn=accounts,${..base_dn}"
  filter = '(objectClass=posixGroup)'
  membership_attribute = 'memberOf'
 }
	# Create the service
	ipa service-add 'radius/radiusserver.example.com'
	ipa service-add-host --hosts=radiusserver.example.com radius/radiusserver.example.com

	# You need the role and permissions
	ipa role-add "samba/radius auth"
	ipa privilege-add "NTLM Password Hash Access"
	ipa permission-add "Read Samba NTLM RC4 Password Hash attribute" --attrs=ipaNTHash --attrs=sambaNTPassword --attrs=sambaPwdLastSet --attrs=sambaSID --attrs=sambaAcctFlags --attrs=sambaDomainName --type=user --right=read --right=compare
	ipa privilege-add-permission "NTLM Password Hash Access" --permissions="Read Samba NTLM RC4 Password Hash attribute"

	# Add the role
	ipa role-add-member "samba/radius auth" --services="radius/radiusserver.example.com"

	# The radius server needs the keytab
	ipa-getkeytab -p 'radius/radiusserver.example.com' -s ipaserver.example.com -k /etc/raddb/radius.keytab
	chown root:radiusd /etc/raddb/radius.keytab
	chmod 640 /etc/raddb/radius.keytab

	# Radius needs to use the keytab.
	mkdir -p /etc/systemd/system/radiusd.service.d
	cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
	[Service]
	Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
	ExecStartPre=-/usr/bin/kdestroy -A
	ExecStopPost=-/usr/bin/kdestroy -A
	EOF
	systemctl daemon-reload

	# Service needs a password
	ldapmodify -x -D 'cn=Directory Manager' -W
	Enter password:
	dn: krbprincipalname=radius/[email protected],cn=services,cn=accounts,dc=example,dc=com
	changetype: modify
	add: objectClass
	objectClass: simpleSecurityObject
	-
	add: userPassword
	userPassword: PutAPasswordHere

	# In radius, the configuration could look like this... (ignoring TLS certificate stuff, this is up to the user's requirements and settings)

	ldap {
	server = 'ipaserver.example.com'
	identity = 'krbprincipalname=radius/[email protected],cn=services,cn=accounts,dc=example,dc=com'
	password = PutAPasswordHere
	base_dn = 'dc=example,dc=com'
	}
	update {
	control:Password-With-Header += 'userPassword'
	control:NT-Password := 'ipaNTHash'
	}

	user {
	base_dn = "cn=users,cn=accounts,${..base_dn}"
	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
	}

	group {
	base_dn = "cn=groups,cn=accounts,${..base_dn}"
	filter = '(objectClass=posixGroup)'
	membership_attribute = 'memberOf'
	}