rlm_winbind group membership check

Matthew Newton mcn at freeradius.org
Thu Oct 26 13:39:11 CEST 2017

On Thu, 2017-10-26 at 10:59 +0500, Евгений Подберезкин wrote:
> I need to authenticate wifi users via PEAP(mschap) with group
> checking
> against windows active directory. We have several domains in
> transitive
> relations. Basic authentication via winbind works fine. But since the
> groups may be in different domains, I must check group membership
> with
> domain prefix. And I can not set up rlm_winbind to work correctly.
> Could
> you help me, please.

rlm_winbind is only in the development version of the server. It's
still experimental and not that well tested.

> Output of radiusd -Xx shows, that module strips domain part of group
> name.

> *Thu Oct 26 09:58:53 2017 : (7.0)    files -   Resolved GID 10056 to
> name
> "CHTPZ0\wifi_chtpz"*
> *Thu Oct 26 09:58:53 2017 : (7.0)    files -   Checking plain group
> name
> "wifi_chtpz"*

The comments in the source say

 "Maybe there should be an option to include the domain in the compared
group name in case people have multiple domains?"

Running with multiple domains has not been written yet, so I wouldn't
expect it to work.

> P.S. and could you also tell me the recommended (more stable) version
> of
> freerad with rlm_windind
> root at chtpzfreeradius:/opt# cat /etc/debian_version 9.2

Run version 3.0.15 and do group checking with LDAP. It's the best way,
especially for more complicated setups with multiple domains.


More information about the Freeradius-Users mailing list