Are possible multiple ntdomain realms??????

wekz fbl.list at gmail.com
Fri Jun 9 22:04:23 CEST 2006


Thank you Phil. I didn't have time to test it yet.

I had to install a previous release so I modified the cb.c function. I know
what I've done is awful but it was a extreme solution. I'll test yours next
week and reinstall the server as soon as posible.

Thanks again

2006/6/7, Phil Mayers <p.mayers at imperial.ac.uk>:
>
> wekz wrote:
> > And if they are, what efect has with_ntdomain_hack=yes. Does it affect
> > to all??
> >
> > Well, Hi you all I hope haven't been too direct ;)
> >
> > I'll getting more troubles as I do more complex configurations.
> >
> > I ask this because first I had to authenticate users by machine
> > authentication. The users in this case sends User-Name like
> > host/username and the only way I found for working this out was to use
> > ntdomain realm with "/" as the delimiter and enable with_ntdomain_hack.
> > The other options stripes the User-Name but then packets doesn't match
> > EAP-Identity ( at least one of them ), that is why I used ntdomain, for
>
> Yes, this is a pain. The correct thing to do is below
>
> > being able to use with_ntdomain_hack.
>
> FreeRadius 1.1.0 has code to do this for you - it will take names of the
> form "host/blah" and turn them into "blah$" *IF* you are using the
> "%{mschap:User-Name}" expansion. The "%{User-Name}" is left alone,
> meaning EAP carries on working.
>
> >
> > Now I've got pda-users that sends domain\username and if I don't use
> > ntdomain & with_ntdomain_hack it fails. So, that's why I ask if multiple
> > ntdomains are allowed and how.
>
> Again, this is annoying.
>
> The best way I've found is to have this:
>
> proxy.conf (contains only "real" domains)
>
> realm THEDOMAINNAME {
>    type = radius
>    authhost = LOCAL
>    accthost = LOCAL
>    # see [1] for strip
>    strip
> }
>
> realm DEFAULT {
>    type = radius
>    authhost = LOCAL
>    accthost = LOCAL
>    # see [1] for strip
>    strip
> }
>
> realm NULL {
>    type = radius
>    authhost = LOCAL
>    accthost = LOCAL
>    # see [1] for strip
>    strip
> }
>
> radiusd.conf (portions omitted):
>
> modules {
>    mschap {
>      authtype = MS-CHAP
>      with_ntdomain_hack = yes
>      # this all goes on one line
>      # see [2] for mschap:User-Name
>      ntlm_auth = "/path/ntlm_auth --request-nt-key \
>        --username=%{mschap:User-Name} \
>        --challenge=%{mschap:Challenge:-00} \
>        --nt-response=%{mschap:NT-Response:-00}"
>    }
>
>    realm ntdomain {
>      format = prefix
>      delimiter = "\\"
>      ignore_default = no
>      ignore_null = no
>    }
> }
>
> authorize {
>    preprocess
>    ntdomain
>    eap
>    mschap
> }
>
> The various bits ensure:
>
>   1. "strip" in the realms means there is always a realm-free
> "%{Stripped-User-Name}" variable, useful for e.g. LDAP/file/SQL searches.
>
>   2. The "with_ntdomain_hack" create an mschap:User-Name variable which
> will always have the domain stripped correctly - "dom\user" goes to
> "user", and "host/machine" goes to "machine$"
>
> >
> > Any method or idea will be welcome.
> >
> > Thanks
> >
> >
> > ------------------------------------------------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060609/10cd3882/attachment.html>


More information about the Freeradius-Users mailing list