ntlm_auth with special characters

[Nathan L. Cable]

Hi all,

I am trying to set up FreeRadius (1.09.5-1.2, bundled with Redhat FC5) to
authenticate off of a Win2k3 server.  I have tested the setup, and
everything works fine.  However, we run quite a large domain, and I would
like to restrict access to users in appropriate groups.  I can do that if I
use the SID for the group, but not if I want to use the regular group name.

For example, the following will work when put in the MSCHAP module:

ntlm_auth = "/usr/bin/ntlm_auth --require-membership-of=S-1-2-3-4
--request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00)"

However, when I use a Windows group, such as the following...

ntlm_auth = "/usr/bin/ntlm_auth --require-membership-of='WKGRP/Wireless
Users' --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00)"

...FreeRadius spits out the following error message:

utils/ntlm_auth.c:get_require_membership_sid(237)
Winbindd lookupname failed to resolve 'WKGRP\Wireless into a SID!



What appears to be happening is that when Radius gets to the space in the
group name, it jumps to the next argument in the line, disregarding the "
Users'" part of the group.  I've tried several different variations on
escape characters, with no success.

Just as further info, I have also been able to successfully run the
ntlm_atuh program outside of radius with the offending command, and it works
fine.

What is the appropriate syntax to use when using long group names in the
radiusd.conf file, or will I need to stick to using Windows SID numbers?

Thanks for your time (and thought),

Nathan Cable