Hello,
i've configured a new freeradius server for WLAN authentication. My
radius server is a domain member on my samba 4.7.12 ADDC. For my mschap
configuration i followd this guide:
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory.
The auth works! I can configure ntlm_auth in two differents way?
ntlm_auth = "/path/to/ntlm_auth*--allow-mschapv2* --request-nt-key
--username=%{mschap:User-Name} --domain=MYDOMAIN
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
OR
winbind_username = "%{mschap:User-Name}"
winbind_domain = "%{mschap:NT-Domain}"
Both ways are working, but now im hanging a little bit. Currently im
using this config in /mods-available/mschap:
winbind_username = "%{mschap:User-Name}"
winbind_domain = "%{mschap:NT-Domain}"
(ntlm_auth = ... is commented out)
I have an AD Group "WLAN".
How can i authenticate against this groups? Is there any directive like
"winbind_group = "?
Regards
Micha
Thats more a "free radius list" question.. But no, you better use the group checking part from/in module rlm_ldap And yes, i "should" be possible, if you look into module winbind All i know is results from ldap are better the winbind, but i've not tested that. And im sure there are other users here on the list that can tell more about that. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Micha Ballmann via samba > Verzonden: maandag 21 oktober 2019 13:53 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba4 and Freeradius > > Hello, > > i've configured a new freeradius server for WLAN authentication. My > radius server is a domain member on my samba 4.7.12 ADDC. For > my mschap > configuration i followd this guide: > https://wiki.samba.org/index.php/Authenticating_Freeradius_aga > inst_Active_Directory. > > The auth works! I can configure ntlm_auth in two differents way? > > ntlm_auth = "/path/to/ntlm_auth*--allow-mschapv2* --request-nt-key > --username=%{mschap:User-Name} --domain=MYDOMAIN > --challenge=%{%{mschap:Challenge}:-00} > --nt-response=%{%{mschap:NT-Response}:-00}" > > OR > > winbind_username = "%{mschap:User-Name}" > winbind_domain = "%{mschap:NT-Domain}" > > > > Both ways are working, but now im hanging a little bit. Currently im > using this config in /mods-available/mschap: > > winbind_username = "%{mschap:User-Name}" > winbind_domain = "%{mschap:NT-Domain}" > > (ntlm_auth = ... is commented out) > > I have an AD Group "WLAN". > > How can i authenticate against this groups? Is there any > directive like > "winbind_group = "? > > Regards > > Micha > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Mandi! Micha Ballmann via samba In chel di` si favelave...> How can i authenticate against this groups? Is there any directive like > "winbind_group = "?I've looked at docs and code, and seems no. You can: a) use ntlm_auth, with option '--require-membership-of='; space containing groups are not supported, use SID b) use module LDAP and do AD ldap query, as Louis suggest. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Thanks, i enabled "ntlm_auth" and disabled the other one. Added "--require-membership-of='DOMAIN\wlan'. It works! But i also try how does it work with LDAP! Regards Micha Am 21.10.2019 um 14:30 schrieb Marco Gaiarin via samba:> Mandi! Micha Ballmann via samba > In chel di` si favelave... > >> How can i authenticate against this groups? Is there any directive like >> "winbind_group = "? > I've looked at docs and code, and seems no. > > You can: > > a) use ntlm_auth, with option '--require-membership-of='; space > containing groups are not supported, use SID > > b) use module LDAP and do AD ldap query, as Louis suggest. >
On Mon, 2019-10-21 at 14:30 +0200, Marco Gaiarin via samba wrote:> Mandi! Micha Ballmann via samba > In chel di` si favelave... > > > How can i authenticate against this groups? Is there any directive > > like > > "winbind_group = "? > > I've looked at docs and code, and seems no. > > You can: > > a) use ntlm_auth, with option '--require-membership-of='; space > containing groups are not supported, use SIDThis is the most efficient way of doing it, as it uses the pre- calculated group list provided by the SamLogon reply. However it is also quite blunt, because there is no/little distinguishing between logon failures and group membership failures. Perhaps there is a way to do that with the winbind module? That is more efficient in very high-load situations (no fork/exec overhead, re- uses the same socket). If not, someone should add it. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba