rlm_winbind group membership check

Евгений Подберезкин epodber at gmail.com
Thu Oct 26 07:59:23 CEST 2017


Hi.

I need to authenticate wifi users via PEAP(mschap) with group checking
against windows active directory. We have several domains in transitive
relations. Basic authentication via winbind works fine. But since the
groups may be in different domains, I must check group membership with
domain prefix. And I can not set up rlm_winbind to work correctly. Could
you help me, please.

root at chtpzfreeradius:/opt/sbin# cat /opt/etc/raddb/users | grep -v "#"

DEFAULT Winbind-Group == "CHTPZ0\\wifi_chtpz"
        Service-Type = Framed-User,
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-ID := "165"

DEFAULT Auth-Type := Reject
        Reply-Message = "Groups do not match"

root at chtpzfreeradius:/opt/sbin# cat /opt/etc/raddb/mods-enabled/winbind |
grep -v "#"

winbind {
        winbind_username = "%{%{Stripped-User-Name}:-%{User-Name}}"
        group {
                group_search_username = "%{%{Stripped-User-Name}:-%{
User-Name}}"
                group_add_domain = no
        }
        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
                lifetime = 86400
                cleanup_interval = 300
                idle_timeout = 600
        }
}


Output of radiusd -Xx shows, that module strips domain part of group name.

Thu Oct 26 09:58:52 2017 : (7.0)    files -   EXPAND
%{%{Stripped-User-Name}:-%{User-Name}}
Thu Oct 26 09:58:52 2017 : (7.0)    files -     %{%{Stripped-User-Name}:-%{
User-Name}}
Thu Oct 26 09:58:52 2017 : (7.0)    files -     Parsed xlat tree:
Thu Oct 26 09:58:52 2017 : XLAT-IF {
Thu Oct 26 09:58:52 2017 : (7.0)    files -         attribute -->
Stripped-User-Name
Thu Oct 26 09:58:52 2017 : }
Thu Oct 26 09:58:52 2017 : XLAT-ELSE {
Thu Oct 26 09:58:52 2017 : (7.0)    files -         attribute --> User-Name
Thu Oct 26 09:58:52 2017 : }
Thu Oct 26 09:58:52 2017 : (7.0)    files -   --> CHTPZ0\\epodberezkin
Thu Oct 26 09:58:52 2017 : (7.0)    files -   Reserved connection (4)
Thu Oct 26 09:58:52 2017 : (7.0)    files -   Trying to find user
"CHTPZ0\epodberezkin" in group "CHTPZ0\wifi_chtpz"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Successfully retrieved user's
groups
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10004 to name
"CHTPZ0\domain users"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"domain users"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10026 to name
"CHTPZ0\msk2_docs_инструкции_r"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"msk2_docs_инструкции_r"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10027 to name
"CHTPZ0\bad_sites"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"bad_sites"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10028 to name
"CHTPZ0\wallpaper_disable"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"wallpaper_disable"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10029 to name
"CHTPZ0\ucc-archive-read"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"ucc-archive-read"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10030 to name
"CHTPZ0\acs_administrartor"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"acs_administrartor"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10020 to name
"CHTPZ0\wwwg"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"wwwg"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10031 to name
"CHTPZ0\h239_xray_read"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"h239_xray_read"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10032 to name
"CHTPZ0\administrators-chtpzsfbfe1"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"administrators-chtpzsfbfe1"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10033 to name
"CHTPZ0\administrators-chtpzsfbdb1"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"administrators-chtpzsfbdb1"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10034 to name
"CHTPZ0\цит-интернет"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"цит-интернет"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10035 to name
"CHTPZ0\password policy high"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"password policy high"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10036 to name
"CHTPZ0\csadministrator"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"csadministrator"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10037 to name
"CHTPZ0\rtcuniversalserverreadonlygroup"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name "
rtcuniversalserverreadonlygroup"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10038 to name
"CHTPZ0\rtcuniversalglobalwritegroup"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"rtcuniversalglobalwritegroup"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10039 to name
"CHTPZ0\csserveradministrator"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"csserveradministrator"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10040 to name
"CHTPZ0\rtcuniversalglobalreadonlygroup"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name "
rtcuniversalglobalreadonlygroup"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10041 to name
"CHTPZ0\rtcuniversalserveradmins"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"rtcuniversalserveradmins"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10042 to name
"CHTPZ0\rtcuniversaluserreadonlygroup"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name "
rtcuniversaluserreadonlygroup"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10043 to name
"CHTPZ0\vpn_1ceh_video"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"vpn_1ceh_video"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10016 to name
"CHTPZ0\1с chtpzfile2"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name "1с
chtpzfile2"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10044 to name
"CHTPZ0\wi-fi_dip"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"wi-fi_dip"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10045 to name
"CHTPZ0\vpndip"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"vpndip"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10046 to name
"CHTPZ0\wifi local"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"wifi local"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10015 to name
"CHTPZ0\proxyusers"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"proxyusers"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10014 to name
"CHTPZ0\управление по работе с соц.объектами(чтение)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"управление по работе с соц.объектами(чтение)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10047 to name
"CHTPZ0\серверные (запись)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"серверные (запись)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10012 to name
"CHTPZ0\rever1"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"rever1"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10048 to name
"CHTPZ0\dhcp users"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"dhcp users"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10011 to name
"CHTPZ0\день информирования (чтение)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"день информирования (чтение)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10049 to name
"CHTPZ0\wifi vip"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"wifi vip"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10050 to name
"CHTPZ0\zavod"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"zavod"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10051 to name
"CHTPZ0\zip(запись)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"zip(запись)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10010 to name
"CHTPZ0\охрана труда_ цех №1(чтение)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"охрана труда_ цех №1(чтение)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10052 to name
"CHTPZ0\asa_vpn_users"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"asa_vpn_users"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10053 to name
"CHTPZ0\_система технического учета (запись)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"_система технического учета (запись)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10054 to name
"CHTPZ0\департамент по тк (запись)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"департамент по тк (запись)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10055 to name
"CHTPZ0\users chtpz-cit"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"users chtpz-cit"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10008 to name
"CHTPZ0\l(чтение)"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"l(чтение)"
*Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10056 to name
"CHTPZ0\wifi_chtpz"*
*Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"wifi_chtpz"*
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10057 to name
"CHTPZ0\vnc_access"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"vnc_access"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10058 to name
"CHTPZ0\vnc_moscow"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"vnc_moscow"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10059 to name
"CHTPZ0\ciscoms"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"ciscoms"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10006 to name
"CHTPZ0\ts2008"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"ts2008"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10060 to name
"CHTPZ0\ооо универсальные системы"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"ооо универсальные системы"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10061 to name
"CHTPZ0\oss_members"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"oss_members"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10001 to name
"BUILTIN\users"
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group name
"users"
*Thu Oct 26 09:58:53 2017 : (7.0)    files -   No groups found that match*
Thu Oct 26 09:58:53 2017 : (7.0)    files -   Released connection (4)


P.S. and could you also tell me the recommended (more stable) version of
freerad with rlm_windind
root at chtpzfreeradius:/opt# cat /etc/debian_version 9.2


More information about the Freeradius-Users mailing list