New User and AD Question

[Phil Mayers]

On 02/03/11 12:41, McNutt, Justin M. wrote:
>>> Also, here is the 'mschap' section from a recent attempt.
>>
>> I don't see anything. Did you forget an attachment?
>
> Um... yeah.  I'm doing a couple of things at once.  Here it is.
>
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] Told to do MS-CHAPv2 for host/dnps-caplap-4.col.missouri.edu with NT-Password
> [mschap]        expand: %{Stripped-User-Name} ->
> [mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
> ## NOTE THE NEXT THREE LINES:
> [mschap]        expand: %{User-Name:-None} ->  host/dnps-caplap-4.col.missouri.edu

As expected - User-Name expands to itself.

> [mschap]        expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->  --username=host/dnps-caplap-4.col.missouri.edu

That is not "%{mschap:User-Name}". i.e. it's misconfigured

> [mschap]        expand: --domain=%{mschap:NT-Domain} ->  --domain=col

Ah, yes. Now this I do remember. The %{mschap:NT-Domain} expansion 
assumes that in a host account of the form:

host/username.domain.com

...the old-style short domain is "domain". Of course, this falls apart 
if you have a disjoint DNS/AD namespace:

host/username.subdomain.domain.com

...or if your new-style DNS domain and old-style NT domain don't match:

host/username.mycompany.com vs. NT domain of "CORP" - mycompany != CORP

The only real solution in this case is to not use the 
%{mschap:NT-Domain} expansion - you can't, since there's not enough info 
to get the old-style short domain name in all cases.

So, in /etc/raddb/modules/mschap, set (don't include the line 
continuation \ I've added):

  ntlm_auth = "/path/to/ntlm_auth --request-nt-key \
   --username=%{mschap:User-Name} --domain=YOURDOMAIN \
   --challenge=... --nt-response=..."