New User and AD Question
McNutt, Justin M.
McNuttJ at missouri.edu
Tue Mar 1 17:19:36 CET 2011
> Could you send us the output of radiusd -X for a computer auth?
Done. (See previous message with attachment.)
> If it works for users it should just work for machines.
Perhaps under certain circumstances, but not for us, apparently. Perhaps it's the significant difference between the NT-style domain name and the AD-style domain name. Perhaps it's the multi-domain AD structure. I don't know. I do know that users can successfully authenticate - IF they supply a domain as part of their credentials - and computers cannot. Yet.
> You'll need to make sure you have samba > 3.0.23 [IIRC] [which you seem to
> have] and your ntlm_auth line has to have an appropriately formatted
> User-Name bit e.g. %{mschap:User-Name} (the mschap module will take
> host\\computer.domain.name and turn it in to computer$ automatically).
Yup. Samba 3.5.4. Here's the ntlm_auth line used (from mschap module):
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Interestingly enough, the modules/ntlm_auth file contains something completely different, though I don't think it is in play:
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}"
}
--J
More information about the Freeradius-Users
mailing list