Add $ to end of machine account uid

Cody Jarrett cody.jarrett at itfreedom.com
Fri Jul 6 19:10:11 CEST 2007 

I've about got it, but now I am getting an eap error about the username 
isn't correct.

I added this about preprocess:
 attr_rewrite add-dollar-sign {
                attribute = User-Name
                searchfor = "^host/(.*)"
                searchin = packet
                new_attribute = no
                replacewith = "%{1}$"
        }

I've added add-dollar-sign to authorize { section.

rad_recv: Access-Request packet from host 10.1.22.11:2135, id=64, length=168
        NAS-IP-Address = 10.1.22.11
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 12
        Framed-MTU = 1400
        User-Name = "host/itf-toshiba-asd"
        Calling-Station-Id = "000e35ff2a82"
        Called-Station-Id = "00186ecfa600"
        NAS-Identifier = "ap01.intranet.domain.com"
        EAP-Message = 0x02010019234486f73742f6974662d746f73686962612d617364
        Message-Authenticator = 0x2b72b4ab80aaf3aa96b4613f3ab872341d
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
radius_xlat:  '^host/(.*)'
radius_xlat:  'itf-toshiba-asd$'
rlm_attr_rewrite: Changed value for attribute User-Name from 
'host/itf-toshiba-asd' to 'itf-toshiba-asd$'
  modcall[authorize]: module "add-dollar-sign" returns ok for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '\' in User-Name = "itf-toshiba-asd$", looking up 
realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "DOMAIN" returns noop for request 2
  rlm_eap: EAP packet type response id 1 length 25
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=domain,dc=com'
radius_xlat:  '(uid=itf-toshiba-asd$)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter 
(uid=itf-toshiba-asd$)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '(&(objectClass=posixGroup)(memberUid=itf-toshiba-asd$))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter 
(&(cn=wireless)(&(objectClass=posixGroup)(memberUid=itf-toshiba-asd$)))
rlm_ldap::ldap_groupcmp: User found in group wireless
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "files" returns notfound for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for itf-toshiba-asd$
radius_xlat:  '(uid=itf-toshiba-asd$)'
radius_xlat:  'dc=domain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter 
(uid=itf-toshiba-asd$)
rlm_ldap: checking if remote access for itf-toshiba-asd$ is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value 
[W          ] & op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value 
78389E5DE0CCA3A288568FADB746063D & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user itf-toshiba-asd$ authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
  rlm_eap: Failed in handler
  modcall[authenticate]: module "eap" returns invalid for request 2
modcall: leaving group authenticate (returns invalid) for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds



A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>   
>> I need machines to be able to authenticate so that when a user who has 
>> never logged onto a computer can, by the machine have an active network 
>> connection and pulling the credentials from the samba-ldap domain. I 
>> have a realm setup to strip the domain/ part of the username which works 
>> fine, but I need to figure out how to add a $ at the end of anything 
>> that tries to connect as uid=host/computername. I'm sure I can figure 
>> out how to strip the host prefix, but can't quit figure out how to add 
>> the $ to the end. Thanks.
>>     
>
> use the link on the novell site as per the discussions earlier today.
>
> alan
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070706/f3769e68/attachment.html>

More information about the Freeradius-Users mailing list