Freeradius Multiple Disjoint Ad Domains

Arnab Roy arnabroy at mail.com
Mon May 22 21:09:58 CEST 2017 

   Hi Matthew,

   Sorry I am back with this one. After digging through tons of samba
   source I have finally managed to reach a stage where Winbind is now
   running completely separately so just need to sort out ntlm_auth.
   Looking through the source code I stumbled upon the following file in
   nsswitch and saw your name as the author :) hope its the same Matthew
   :)

   nsswitch/wb_common.c

   Now previously it seems like it was possible to set the Winbind Socket
   directory via an environment variable (
   http://samba.2283325.n4.nabble.com/NTLM-Authentication-against-multiple
   -domain-comtrollers-td3024825.html )

   This seems to have gone now looking at the code

   static const char *winbindd_socket_dir(void)
   {
           if (nss_wrapper_enabled()) {
                   const char *env_dir;
                   env_dir = getenv("SELFTEST_WINBINDD_SOCKET_DIR");
                   if (env_dir != NULL) {
                           return env_dir;
                   }
           }
           return WINBINDD_SOCKET_DIR;
   }

   Can you see any issues if I changed this to return a custom environment
   variable instead ? Also from a FR perspective I am considering
   chrooting ntlm_auth ?

   Your help is much appreciated.

   Many Thanks
   Arnab



   Sent: Monday, May 22, 2017 at 12:37 PM
   From: "Matthew Newton" <mcn4 at leicester.ac.uk>
   To: "FreeRadius users mailing list"
   <freeradius-users at lists.freeradius.org>
   Subject: Re: Freeradius Multiple Disjoint Ad Domains
   On Mon, May 22, 2017 at 01:27:53PM +0200, Arnab Roy wrote:
   > The problem seems to be ntlm_auth doesnt see that the winbindd
   > privileged pipe and winbindd socket is running in a custom directory.
   IIRC ntlm_auth connects to winbindd using the /tmp/.winbindd/pipe
   pipe, and then queries winbindd over that pipe what the location of
   the priv pipe is.
   So if you've got two winbindds both with /tmp/.winbindd/pipe, only
   one of those is going to work.
   Assuming the two copies of Samba were compiled with different
   locations then it might work. I'd be inclined to strace all the
   things and see what's really happening.
   I'd expect that if you built Samba and installed in /opt/samba1/
   and /opt/samba2/ and then ran /opt/samba1/ntlm_auth and
   /opt/samba2/ntlm_auth that the locations would probably be
   separate and all would be OK.
   But running two copies of Samba on the same box is hardly a
   standard setup, so you're likely to be on your own.
   Or you could just proxy the RADIUS request to a separate VM with
   another instance of Samba on it and save the unusual setup.
   Matthew
   --
   Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
   Systems Specialist, Infrastructure Services,
   I.T. Services, University of Leicester, Leicester LE1 7RH, United
   Kingdom
   For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
   -
   List info/subscribe/unsubscribe? See
   [1]http://www.freeradius.org/list/users.html

References

   1. http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list