Hello, Wiki entry was based on my mail to this list, sorry if I was not clear enough. I'm glad You figured it out yourself, Regards, Kacper W dniu 09.10.2018 o 17:21, Marco Gaiarin via samba pisze:>> Someone have some hints? Thanks. > ...i reply to myself. > > Indeed the option 'ntlm auth = mschapv2-and-ntlmv2-only' (4.7+) or 'ntlm auth > yes' (4.6-4.5) have to be set on DCs. Now works. > > Sorry. > > > PS: i suggest to specify that on the wiki... >
Mandi! Kacper Wirski via samba In chel di` si favelave...> Wiki entry was based on my mail to this list, sorry if I was not clearOh, don't bother... really i was ''puzzled' by the sentences: Ensure the server is added to AD with net ads join so i supposed we are referencing a domain member (a domain controller is ''joined by default'' to the domain...). A little note: you 'lock' the domain name in configuration; it is also possible to leave the domain info, provinding a default if absent, so you can auth multiple domains. Clearly, you have to define the correspoding realms in proxy.conf. eg (LNFFFVG is my domain): winbind_username = "%{mschap:%{User-Name}:-None}" winbind_domain = "%{mschap:%{NT-Domain}:-LNFFVG}" ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --helper-protocol=ntlm-change-password-1" ntlm_auth_username = "username: %{mschap:User-Name}" ntlm_auth_domain = "nt-domain: %{mschap:%{NT-Domain}:-LNFFVG}" and in proxy.conf: realm LNFFVG { type = radius authhost = LOCAL accthost = LOCAL } -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Sorry, i came back with another little note. For LDAP access seems
that, instead of specifying user/dn and password SASL/Kerberos can be
used.
Config file (/etc/freeradius/3.0/mods-available/ldap) say:
#
# SASL parameters to use for admin binds
#
# When we're prompted by the SASL library, these control
# the responses given, as well as the identity and password
# directives above.
#
# If any directive is commented out, a NULL response will be
# provided to cyrus-sasl.
#
# Unfortunately the only way to control Keberos here is through
# environmental variables, as cyrus-sasl provides no API to
# set the krb5 config directly.
#
# Full documentation for MIT krb5 can be found here:
#
#
http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html
#
# At a minimum you probably want to set KRB5_CLIENT_KTNAME.
#
sasl {
# SASL mechanism
# mech = 'PLAIN'
# SASL authorisation identity to proxy.
# proxy = 'autz_id'
# SASL realm. Used for kerberos.
# realm = 'AD.FVG.LNF.IT'
}
Someone have used it? Have some configuration examples to share?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)