Hil list!
I'm trying to authenticate Active Directory Users via freeradius. I
can do it in a general case (user and domain) without
problem. Now I have to do it restricting the authentication to the
members of a group.
I can exect the script (as is put in radiusd.conf) correct from the
command line:
Deb:~# /usr/bin/ntlm_auth --username=javi2
--require-membership-of='AAMM\MyGroup' --domain=AAMM
password:
NT_STATUS_OK: Success (0x0)
Deb:~# /usr/bin/ntlm_auth --username=javi2
--require-membership-of='AAMM\OtherGroup' --domain=AAMM
password:
NT_STATUS_LOGON_FAILURE: Logon failure (0xc000006d)
Deb:~#
So samba and winbind look to be correctly configured, but when radius
exect it, looks as if winbind couldn't resolve group's name.
My line on radiusd.conf is:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --require-membership-of='AAMM\\MyGroup'
--domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
And get the next logs:
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=javi2
--require-membership-of='AAMM\MyGroup' --domain=AAMM
--challenge=6b480cf181ded625
--nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21 '
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=javi2
--require-membership-of='AAMM\MyGroup' --domain=AAMM
--challenge=6b480cf181ded625
--nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21
[2005/05/16 09:05:57, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
Winbindd lookupname failed to resolve 'AAMM\MyGroup' into a SID!
Does anybody know why could it be happening? Thanks in advance for any help!!
On Mon, 2005-05-16 at 09:28 +0200, Javier Jimenez wrote:> Hil list! > I'm trying to authenticate Active Directory Users via freeradius. I > can do it in a general case (user and domain) without > problem. Now I have to do it restricting the authentication to the > members of a group.> Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=javi2 > --require-membership-of='AAMM\MyGroup' --domain=AAMM > --challenge=6b480cf181ded625 > --nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21 > [2005/05/16 09:05:57, 0] utils/ntlm_auth.c:get_require_membership_sid > (237) > Winbindd lookupname failed to resolve 'AAMM\MyGroup' into a SID!Looking at the source, the issue appears to be the quotes. FreeRadius does not go via a shell, which means that the ' characters are not stripped off. (The ntlm_auth source shows that this debug message is printed without any quotes, which means you supplied them)> Does anybody know why could it be happening? Thanks in advance for any help!!-- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050516/d0f541e4/attachment.bin
Now, I'found another problem, if I put a group with spaceblanks on my ntlm_auth script on freeradius, cannot authenticate. It recognise just the first word of the name. Any idea about what?s happening? Thanks! ---------- Forwarded message ---------- From: Javier Jimenez <javier.jimenezdiaz@gmail.com> Date: 16-may-2005 12:42 Subject: Re: [Samba] Winbind problem when exec freeradius To: Andrew Bartlett <abartlet@samba.org> It works!! Thank you very much! Javi. 2005/5/16, Andrew Bartlett <abartlet@samba.org>:> On Mon, 2005-05-16 at 09:28 +0200, Javier Jimenez wrote: > > Hil list! > > I'm trying to authenticate Active Directory Users via freeradius. I > > can do it in a general case (user and domain) without > > problem. Now I have to do it restricting the authentication to the > > members of a group. > > > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=javi2 > > --require-membership-of='AAMM\MyGroup' --domain=AAMM > > --challenge=6b480cf181ded625 > > --nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21 > > [2005/05/16 09:05:57, 0] utils/ntlm_auth.c:get_require_membership_sid > > (237) > > Winbindd lookupname failed to resolve 'AAMM\MyGroup' into a SID! > > Looking at the source, the issue appears to be the quotes. FreeRadius > does not go via a shell, which means that the ' characters are not > stripped off. (The ntlm_auth source shows that this debug message is > printed without any quotes, which means you supplied them) > > > Does anybody know why could it be happening? Thanks in advance for any help!! > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Student Network Administrator, Hawker College http://hawkerc.net > > > BodyID:76586272.2.n.logpart (stored separately) > >