Michael Jones
2022-Feb-13 22:37 UTC
[Samba] Using Linux domain member machine account for WPA-Enterprise authentication
I've noticed that when a Windows computer that is in my domain connects to
my WPA-Enterprise wifi it first attempts to authenticate with the SSID
using the domain member's machine account, instead of prompting the user to
enter their own credentials.
Has anyone ever tried to do this with a Linux domain member?
For example, my linux domain member laptop uses Network Manager as the GUI,
with Intel Wireless Daemon as the wifi card driver. Currently the two
programs aren't seamlessly integrated, so I need to write my own config
file for IWD that has username / password settings. Such as
~ # cat /var/lib/iwd/MySSID.8021x
[Security]
EAP-Method=PEAP
EAP-Identity=NETWORK-1\\anonymous
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=NETWORK-1\\jonesmz
EAP-PEAP-Phase2-Password=PASSWORD-GOES-HERE
[Settings]
AutoConnect=true
However, what I'd really like to do is have a linux domain member first
attempt to use the machine account to authenticate with the freeradius /
domain controller servers prior to prompting for user credentials, and if
user credentials are needed, first attempt to use the domain credentials
for the currently logged in user before prompting. Similar to how it works
in Windows 10.
Is there any prior art for this in the linux world?
Would a solution look like a script that Samba calls when the machine
account is updated periodically, that writes out an iwd file?
Or would it be better to have iwd call a program to fetch each credential
to try in turn, however it does so?
I'm no stranger to writing code, so that doesn't bother me. But I
don't
know what the right approach is, or if there's anything out there that gets
me part of the way.
Kees van Vloten
2023-Oct-20 15:40 UTC
[Samba] Using Linux domain member machine account for WPA-Enterprise authentication
Hi Michael and Samba-team, I found below message on the list, but it looks like nobody replied to it. I have the configuration setup on the Samba-side and indeed it works on Windows with machine-account authentication. It connects to wifi before a user logs in and there is no chance of lockout due to an expired user password in the wifi configuration. I would love to have the same working on my Linux domain-member clients. @Micheal, did you manage to get it working? Or sombody else on the list perhaps :-) ? - Kees. Op 13-02-2022 om 23:37 schreef Michael Jones via samba:> I've noticed that when a Windows computer that is in my domain connects to > my WPA-Enterprise wifi it first attempts to authenticate with the SSID > using the domain member's machine account, instead of prompting the user to > enter their own credentials. > > Has anyone ever tried to do this with a Linux domain member? > > For example, my linux domain member laptop uses Network Manager as the GUI, > with Intel Wireless Daemon as the wifi card driver. Currently the two > programs aren't seamlessly integrated, so I need to write my own config > file for IWD that has username / password settings. Such as > > > ~ # cat /var/lib/iwd/MySSID.8021x > [Security] > EAP-Method=PEAP > EAP-Identity=NETWORK-1\\anonymous > EAP-PEAP-Phase2-Method=MSCHAPV2 > EAP-PEAP-Phase2-Identity=NETWORK-1\\jonesmz > EAP-PEAP-Phase2-Password=PASSWORD-GOES-HERE > > [Settings] > AutoConnect=true > > However, what I'd really like to do is have a linux domain member first > attempt to use the machine account to authenticate with the freeradius / > domain controller servers prior to prompting for user credentials, and if > user credentials are needed, first attempt to use the domain credentials > for the currently logged in user before prompting. Similar to how it works > in Windows 10. > > Is there any prior art for this in the linux world? > > Would a solution look like a script that Samba calls when the machine > account is updated periodically, that writes out an iwd file? > > Or would it be better to have iwd call a program to fetch each credential > to try in turn, however it does so? > > I'm no stranger to writing code, so that doesn't bother me. But I don't > know what the right approach is, or if there's anything out there that gets > me part of the way.