FR 3.0.11 \ ubuntu 16.04 winbind Active directory group validation issue.

Alan DeKok aland at deployingradius.com
Wed Jun 8 20:07:07 CEST 2016


On Jun 8, 2016, at 1:59 PM, Jean-Pierre Zurbr├╝gg <jp.zurbrugg at gmail.com> wrote:
> I have a freeradius 3.0.4 (git #7c9d5fb) running under ubuntu 14.04
> correctly and I'm Trying to replicate this functionality on a new
> Ubuntu 16.04 LAB VM but I'm having dificulties validating Group
> memberships via a Winbind ~ Active Directory setup. The configuration
> was done manually; I did not copy any files from the FR 3.0.4 machine.

  OK..

> I have disabled sites-enabled/default and put my own site called DGP
> along with a default inner-tunnel configuration file.

  If you're sure you know what you're doing, OK...

> In the DGP site's Post-Auth {} section I'm trying to validate the
> 'Group' Attribute via the following IF statement:
> if (Group == "ADLAB\\\\fw-wifi-access") {} which generates the
> following line while debugging:
> Failed resolving GID: No error

  The "Group" attribute checks Unix groups.  If you've put in configuration to map Unix groups to Samba / AD, it should work.

> winbindd -SFd5 generates the following debug snippet when validating
> the IF statement above:
> ----
> getpwnam ADLAB\userx
> getgrnam ADLAB\\fw-wifi-access
> child daemon request 59
> msrpc_name_to_sid: name=ADLAB\\fw-wifi-access
> name_to_sid [rpc] ADLAB\\fw-wifi-access for domain ADLAB
> rpc_api_pipe: host dc01.adlab.local
> rpc_write_send: data_to_write: 176
> rpc_read_send: data_to_read: 176
> Finished processing child request 59
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED

  Which sounds definitive.

> While troubleshooting I changed the IF statement to: if (Group ==
> "ADLAB\\fw-wifi-access") {}
> and this time I no longer get the 'Failed resolving GID: No error'
> entry but the IF statement
> returns false instead of true (the AD user is a member of this group).

  You've posted the debug output with four back-slashes, not the debug output with two backslashes.

  You should probably upgrade to 3.0.11.  We put a LOT of time fixing all of the escaping issues, as noted in the ChangeLog for recent releases.

> I don't know what else to check in order to correct this problem. I'd
> appreciate any tips given.

  Upgrade to 3.0.11.

  Alan DeKok.


More information about the Freeradius-Users mailing list