rlm_winbind group membership check

[Евгений Подберезкин]

Very grateful for help. I will follow your advice.

2017-10-26 16:39 GMT+05:00 Matthew Newton <mcn at freeradius.org>:

> On Thu, 2017-10-26 at 10:59 +0500, Евгений Подберезкин wrote:
> > I need to authenticate wifi users via PEAP(mschap) with group
> > checking
> > against windows active directory. We have several domains in
> > transitive
> > relations. Basic authentication via winbind works fine. But since the
> > groups may be in different domains, I must check group membership
> > with
> > domain prefix. And I can not set up rlm_winbind to work correctly.
> > Could
> > you help me, please.
>
> rlm_winbind is only in the development version of the server. It's
> still experimental and not that well tested.
>
> > Output of radiusd -Xx shows, that module strips domain part of group
> > name.
>
> > *Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10056 to
> > name
> > "CHTPZ0\wifi_chtpz"*
> > *Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group
> > name
> > "wifi_chtpz"*
>
> The comments in the source say
>
>  "Maybe there should be an option to include the domain in the compared
> group name in case people have multiple domains?"
>
> Running with multiple domains has not been written yet, so I wouldn't
> expect it to work.
>
> > P.S. and could you also tell me the recommended (more stable) version
> > of
> > freerad with rlm_windind
> > root at chtpzfreeradius:/opt# cat /etc/debian_version 9.2
>
> Run version 3.0.15 and do group checking with LDAP. It's the best way,
> especially for more complicated setups with multiple domains.
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html