L.P.H. van Belle
2017-Dec-14 10:09 UTC
[Samba] ADUC missing msNPAllowDialin and need vpn advice for ad setup.
Hai, Im reading : https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD I wanted to use the "msNPAllowDialin" , in ADUC tab "Dail-in" but i notices this one was gone/ i was missing this one : https://wiki.samba.org/images/8/88/MsNPAllowDialin.jpg Admin pc, windows 7 64bit, samba 4.7.3. AD Reinstalled it with the needed dll's from a win2008R2. Now my Dail in tab is shown in ADUC but when i try to open i get an error. I had a look in the AD with my AD browser and i see im missing for example : msNPAllowDialin in the AD and possible more. So my question, how can i add all needed properties back in the Ad like the msNPAllowDialin . Does samba have anything what can sort of restore these, samba-tool dbcheck and --cross-nc show 0 errors. Or should i import the radius schema and use that? The results where im going at is a strongswan server with user auth from ad/ldap with or without radius. vpn is already up and tested with eap-mschapv2, with plain text username/passwords and im reading now into the ldap part. so if anyone has some tips, that would be great. Greetz, Louis
Rowland Penny
2017-Dec-14 10:53 UTC
[Samba] ADUC missing msNPAllowDialin and need vpn advice for ad setup.
On Thu, 14 Dec 2017 11:09:52 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > Im reading : > https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD > > I wanted to use the "msNPAllowDialin" , in ADUC tab "Dail-in" but i > notices this one was gone/ i was missing this one : > https://wiki.samba.org/images/8/88/MsNPAllowDialin.jpg Admin pc, > windows 7 64bit, samba 4.7.3. AD Reinstalled it with the needed > dll's from a win2008R2. > Now my Dail in tab is shown in ADUC but when i try to open i get an > error. I had a look in the AD with my AD browser and i see im missing > for example : msNPAllowDialin in the AD and possible more. > > > So my question, how can i add all needed properties back in the Ad > like the msNPAllowDialin . Does samba have anything what can sort of > restore these, samba-tool dbcheck and --cross-nc show 0 errors. Or > should i import the radius schema and use that? > The results where im going at is a strongswan server with user auth > from ad/ldap with or without radius. vpn is already up and tested > with eap-mschapv2, with plain text username/passwords and im reading > now into the ldap part. so if anyone has some tips, that would be > great. > > Greetz, > > Louis > >Hi Louis, The 'msNPAllowDialin' is a standard AD attribute: cn: msNPAllowDialin ldapDisplayName: msNPAllowDialin attributeId: 1.2.840.113556.1.4.1119 attributeSyntax: 2.5.5.8 omSyntax: 1 isSingleValued: TRUE schemaIdGuid: db0c9085-c1f2-11d1-bbc5-0080c76670c0 systemOnly: FALSE searchFlags: fCOPY attributeSecurityGuid: 037088f8-0ae1-11d2-b422-00a0c968f939 systemFlags: FLAG_SCHEMA_BASE_OBJECT If you look here: https://msdn.microsoft.com/en-us/library/ms678093(v=vs.85).aspx it says: Do not modify this value directly. But I also found this: http://www.wisesoft.co.uk/scripts/vbscript_write_msnpallowdialin_attribute.aspx From which, it seems that if you don't have the attribute, you 'Control access through remote access policy' If you have the attribute, it can only be set to 'TRUE' or 'FALSE' Rowland
L.P.H. van Belle
2017-Dec-14 11:23 UTC
[Samba] ADUC missing msNPAllowDialin and need vpn advice for ad setup.
Hai Rowland, Even that msNPAllowDialin is a standard attribute, its not in my AD anymore, at least not within the users fields. I think in time this disapert wil fixing things.. This setup is running and upgraded as of samba 4.1. but thank for that info, reading that after my lunch. If i have more questions, i'll mail again. Thanks! Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Rowland Penny [mailto:rpenny at samba.org] > Verzonden: donderdag 14 december 2017 11:54 > Aan: samba at lists.samba.org > CC: L.P.H. van Belle > Onderwerp: Re: [Samba] ADUC missing msNPAllowDialin and need > vpn advice for ad setup. > > On Thu, 14 Dec 2017 11:09:52 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai, > > > > Im reading : > > https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD > > > > I wanted to use the "msNPAllowDialin" , in ADUC tab "Dail-in" but i > > notices this one was gone/ i was missing this one : > > https://wiki.samba.org/images/8/88/MsNPAllowDialin.jpg Admin pc, > > windows 7 64bit, samba 4.7.3. AD Reinstalled it with the needed > > dll's from a win2008R2. > > Now my Dail in tab is shown in ADUC but when i try to open i get an > > error. I had a look in the AD with my AD browser and i see > im missing > > for example : msNPAllowDialin in the AD and possible more. > > > > > > So my question, how can i add all needed properties back in the Ad > > like the msNPAllowDialin . Does samba have anything what > can sort of > > restore these, samba-tool dbcheck and --cross-nc show 0 errors. Or > > should i import the radius schema and use that? > > The results where im going at is a strongswan server with user auth > > from ad/ldap with or without radius. vpn is already up and tested > > with eap-mschapv2, with plain text username/passwords and im reading > > now into the ldap part. so if anyone has some tips, that would be > > great. > > > > Greetz, > > > > Louis > > > > > > Hi Louis, > > The 'msNPAllowDialin' is a standard AD attribute: > > cn: msNPAllowDialin > ldapDisplayName: msNPAllowDialin > attributeId: 1.2.840.113556.1.4.1119 > attributeSyntax: 2.5.5.8 > omSyntax: 1 > isSingleValued: TRUE > schemaIdGuid: db0c9085-c1f2-11d1-bbc5-0080c76670c0 > systemOnly: FALSE > searchFlags: fCOPY > attributeSecurityGuid: 037088f8-0ae1-11d2-b422-00a0c968f939 > systemFlags: FLAG_SCHEMA_BASE_OBJECT > > If you look here: > > https://msdn.microsoft.com/en-us/library/ms678093(v=vs.85).aspx > > it says: > > Do not modify this value directly. > > But I also found this: > > http://www.wisesoft.co.uk/scripts/vbscript_write_msnpallowdial > in_attribute.aspx > > From which, it seems that if you don't have the attribute, > you 'Control > access through remote access policy' > If you have the attribute, it can only be set to 'TRUE' or 'FALSE' > > Rowland > >
Rowland Penny
2017-Dec-14 11:37 UTC
[Samba] ADUC missing msNPAllowDialin and need vpn advice for ad setup.
On Thu, 14 Dec 2017 12:23:43 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai Rowland, > > > Even that msNPAllowDialin is a standard attribute, its not in my AD > anymore, at least not within the users fields. I think in time this > disapert wil fixing things.. This setup is running and upgraded as of > samba 4.1. but thank for that info, reading that after my lunch. > > If i have more questions, i'll mail again. > Thanks! > > Greetz, > > Louis >Go and have a look in: /usr/share/samba/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt Rowland
Reasonably Related Threads
- ADUC missing msNPAllowDialin and need vpn advice for ad setup.
- ADUC missing msNPAllowDialin and need vpn advice for ad setup.
- ADUC missing msNPAllowDialin and need vpn advice for ad setup.
- ADUC missing msNPAllowDialin and need vpn advice for ad setup.
- ADUC missing msNPAllowDialin and need vpn advice for ad setup.