FR 3.0.11 \ ubuntu 16.04 winbind Active directory group validation issue.

Jean-Pierre Zurbr├╝gg jp.zurbrugg at gmail.com
Wed Jun 8 21:24:07 CEST 2016


Thank you for getting back to me so quickly Alan.


>> In the DGP site's Post-Auth {} section I'm trying to validate the
>> 'Group' Attribute via the following IF statement:
>> if (Group == "ADLAB\\\\fw-wifi-access") {} which generates the
>> following line while debugging:
>> Failed resolving GID: No error
>
>   The "Group" attribute checks Unix groups.  If you've put in configuration to map Unix groups to Samba / AD, it should work.

Hmm, I mistakenly thought this info came from winbind. I executed
'groups aduserx' and received the groups the user is a member of,
including "fw-wifi-access" without a domain prefix.

'getent group is not returning the domain groups though.. I'm
currently trying to correct this. thanks for the tip!


>> While troubleshooting I changed the IF statement to: if (Group ==
>> "ADLAB\\fw-wifi-access") {}
>> and this time I no longer get the 'Failed resolving GID: No error'
>> entry but the IF statement
>> returns false instead of true (the AD user is a member of this group).
>
>   You've posted the debug output with four back-slashes, not the debug output with two backslashes.

True, here is the output for the two blackslashes:
getpwnam ADLAB\aduserx
getgrnam ADLAB\fw-wifi-access
child daemon request 59
msrpc_name_to_sid: name=ADLAB\FW-WIFI-ACCESS
name_to_sid [rpc] ADLAB\FW-WIFI-ACCESS for domain ADLAB
rpc_api_pipe: host dc01.digepres.local
rpc_write_send: data_to_write: 176
rpc_read_send: data_to_read: 208
Finished processing child request 59
child daemon request 59
Finished processing child request 59

>> I don't know what else to check in order to correct this problem. I'd
>> appreciate any tips given.
>
>   Upgrade to 3.0.11.
I'd like to clarify that I'm having these issues on the 3.0.11 build
running under Ubuntu 16.04. FR 3.0.4 is running fine on Ubuntu 14.04.

JP


More information about the Freeradius-Users mailing list