Kees van Vloten
2023-Oct-20 15:40 UTC
[Samba] Using Linux domain member machine account for WPA-Enterprise authentication
Hi Michael and Samba-team, I found below message on the list, but it looks like nobody replied to it. I have the configuration setup on the Samba-side and indeed it works on Windows with machine-account authentication. It connects to wifi before a user logs in and there is no chance of lockout due to an expired user password in the wifi configuration. I would love to have the same working on my Linux domain-member clients. @Micheal, did you manage to get it working? Or sombody else on the list perhaps :-) ? - Kees. Op 13-02-2022 om 23:37 schreef Michael Jones via samba:> I've noticed that when a Windows computer that is in my domain connects to > my WPA-Enterprise wifi it first attempts to authenticate with the SSID > using the domain member's machine account, instead of prompting the user to > enter their own credentials. > > Has anyone ever tried to do this with a Linux domain member? > > For example, my linux domain member laptop uses Network Manager as the GUI, > with Intel Wireless Daemon as the wifi card driver. Currently the two > programs aren't seamlessly integrated, so I need to write my own config > file for IWD that has username / password settings. Such as > > > ~ # cat /var/lib/iwd/MySSID.8021x > [Security] > EAP-Method=PEAP > EAP-Identity=NETWORK-1\\anonymous > EAP-PEAP-Phase2-Method=MSCHAPV2 > EAP-PEAP-Phase2-Identity=NETWORK-1\\jonesmz > EAP-PEAP-Phase2-Password=PASSWORD-GOES-HERE > > [Settings] > AutoConnect=true > > However, what I'd really like to do is have a linux domain member first > attempt to use the machine account to authenticate with the freeradius / > domain controller servers prior to prompting for user credentials, and if > user credentials are needed, first attempt to use the domain credentials > for the currently logged in user before prompting. Similar to how it works > in Windows 10. > > Is there any prior art for this in the linux world? > > Would a solution look like a script that Samba calls when the machine > account is updated periodically, that writes out an iwd file? > > Or would it be better to have iwd call a program to fetch each credential > to try in turn, however it does so? > > I'm no stranger to writing code, so that doesn't bother me. But I don't > know what the right approach is, or if there's anything out there that gets > me part of the way.
Luis Peromarta
2023-Oct-20 16:35 UTC
[Samba] Using Linux domain member machine account for WPA-Enterprise authentication
This is very interesting. Could you share your setup ? All the best. On 20 Oct 2023 at 17:41 +0200, Kees van Vloten <keesvanvloten at gmail.com>, wrote:> > I have the configuration setup on the Samba-side and indeed it works on > Windows with machine-account authentication. It connects to wifi before > a user logs in and there is no chance of lockout due to an expired user > password in the wifi configuration.
Reasonably Related Threads
- Using Linux domain member machine account for WPA-Enterprise authentication
- Using Linux domain member machine account for WPA-Enterprise authentication
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- Using Linux domain member machine account for WPA-Enterprise authentication