FR 3.0.11 \ ubuntu 16.04 winbind Active directory group validation issue.
Alan DeKok
aland at deployingradius.com
Wed Jun 8 20:07:07 CEST 2016
On Jun 8, 2016, at 1:59 PM, Jean-Pierre Zurbrügg <jp.zurbrugg at gmail.com> wrote:
> I have a freeradius 3.0.4 (git #7c9d5fb) running under ubuntu 14.04
> correctly and I'm Trying to replicate this functionality on a new
> Ubuntu 16.04 LAB VM but I'm having dificulties validating Group
> memberships via a Winbind ~ Active Directory setup. The configuration
> was done manually; I did not copy any files from the FR 3.0.4 machine.
OK..
> I have disabled sites-enabled/default and put my own site called DGP
> along with a default inner-tunnel configuration file.
If you're sure you know what you're doing, OK...
> In the DGP site's Post-Auth {} section I'm trying to validate the
> 'Group' Attribute via the following IF statement:
> if (Group == "ADLAB\\\\fw-wifi-access") {} which generates the
> following line while debugging:
> Failed resolving GID: No error
The "Group" attribute checks Unix groups. If you've put in configuration to map Unix groups to Samba / AD, it should work.
> winbindd -SFd5 generates the following debug snippet when validating
> the IF statement above:
> ----
> getpwnam ADLAB\userx
> getgrnam ADLAB\\fw-wifi-access
> child daemon request 59
> msrpc_name_to_sid: name=ADLAB\\fw-wifi-access
> name_to_sid [rpc] ADLAB\\fw-wifi-access for domain ADLAB
> rpc_api_pipe: host dc01.adlab.local
> rpc_write_send: data_to_write: 176
> rpc_read_send: data_to_read: 176
> Finished processing child request 59
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
Which sounds definitive.
> While troubleshooting I changed the IF statement to: if (Group ==
> "ADLAB\\fw-wifi-access") {}
> and this time I no longer get the 'Failed resolving GID: No error'
> entry but the IF statement
> returns false instead of true (the AD user is a member of this group).
You've posted the debug output with four back-slashes, not the debug output with two backslashes.
You should probably upgrade to 3.0.11. We put a LOT of time fixing all of the escaping issues, as noted in the ChangeLog for recent releases.
> I don't know what else to check in order to correct this problem. I'd
> appreciate any tips given.
Upgrade to 3.0.11.
Alan DeKok.
More information about the Freeradius-Users
mailing list