Using machine auth from a remote eduroam site

Alex Sharaz alex.sharaz at york.ac.uk
Wed Apr 4 15:08:51 CEST 2018 

o.k. had some success with machine auth.

Setting up winbind with

        winbind_username = "%{mschap:User-Name}"
        winbind_domain = "ITS.YORK.AC.UK"

I managed to get auths to work but the client was reauthenticating every second!

Using

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=ITS.YORK.AC.UK --username=%{mschap:User-Name}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"

and the 1 sec reauths stop and I've got a session.

On 31 March 2018 at 02:07, Isaac Boukris <iboukris at gmail.com> wrote:
> Hi,
>
> On Fri, Mar 30, 2018 at 8:32 PM, Isaac Boukris <iboukris at gmail.com> wrote:
>>> On 27 March 2018 at 03:05, Isaac Boukris <iboukris at gmail.com> wrote:
>>>> On Mon, Mar 26, 2018 at 8:03 PM, Alex Sharaz via Freeradius-Users
>>>> <freeradius-users at lists.freeradius.org> wrote:
>>>>>         winbind_username = "%{Stripped-User-Name}"
>>>>>         winbind_domain = "ITS.YORK.AC.UK"
>>
>>
>> BTW, the default configuration is:
>> winbind_username = "%{mschap:User-Name}"
>>
>> This pulls out the first fqdn component and appends a dollar sign at
>> the end - so it may help.
>
>
> FYI, I've just tested machine authentication (with samba git master)
> using the default config of:
>         winbind_username = "%{mschap:User-Name}"
>         winbind_domain = "%{mschap:NT-Domain}"
>
> And it worked ok for both a computer from the local domain and one
> from a child domain.
>
> I think it should work fine as long as DNS suffix of the machine
> matches its domain (like: HOST/hostname.child.domain.com) as that's
> how 'mschap:NT-Domain' guesses the domain name.
> Otherwise, if you have mapping knowledge from DNS suffix to domain
> names, then you can set 'winbind_domain' manually instead of  using
> 'mschap:NT-Domain', however leave 'winbind_username' set to
> 'mschap:User-Name'.
>
> Otherwise, the only way I can think of to reliably lookup machine's
> name and domain from its service-principal is using global catalog
> service (in local domain).
>
> Example on my lab machine member of domain ACME.COM, and looking up a
> service from child domain CDOM.ACME.COM, coming with DNS suffix of
> 'local.net':
>
> $ ldapsearch -h wdc.acme.com -D administrator at ACME.COM -p 3268
> servicePrincipalName=HOST/IEWIN7C.local.net sAMAccountName
> distinguishedName msDS-PrincipalName canonicalName -W
> # LDAPv3
> # base <> (default) with scope subtree
> # filter: servicePrincipalName=HOST/IEWIN7C.local.net
> # requesting: sAMAccountName distinguishedName msDS-PrincipalName canonicalName
>
> dn: CN=IEWIN7C,CN=Computers,DC=CDOM,DC=acme,DC=com
> distinguishedName: CN=IEWIN7C,CN=Computers,DC=CDOM,DC=acme,DC=com
> sAMAccountName: IEWIN7C$
> canonicalName: CDOM.acme.com/Computers/IEWIN7C
> msDS-PrincipalName: CDOM\IEWIN7C$
>
>
> HTH

More information about the Freeradius-Users mailing list