Using machine auth from a remote eduroam site
Alex Sharaz
alex.sharaz at york.ac.uk
Wed Apr 4 16:24:59 CEST 2018
Sort of cancel that, the 1 sec reauth is the client. (course it
couldn't be the server end). Log in as user, and a machine auth
happens and everything is .o.k
Let the machine hibernate and I can see auths every second. Wake up
screen and manually connect and everything is o.k. again
A
On 4 April 2018 at 14:08, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:
> o.k. had some success with machine auth.
>
> Setting up winbind with
>
> winbind_username = "%{mschap:User-Name}"
> winbind_domain = "ITS.YORK.AC.UK"
>
> I managed to get auths to work but the client was reauthenticating every second!
>
> Using
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=ITS.YORK.AC.UK --username=%{mschap:User-Name}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}"
>
> and the 1 sec reauths stop and I've got a session.
>
> On 31 March 2018 at 02:07, Isaac Boukris <iboukris at gmail.com> wrote:
>> Hi,
>>
>> On Fri, Mar 30, 2018 at 8:32 PM, Isaac Boukris <iboukris at gmail.com> wrote:
>>>> On 27 March 2018 at 03:05, Isaac Boukris <iboukris at gmail.com> wrote:
>>>>> On Mon, Mar 26, 2018 at 8:03 PM, Alex Sharaz via Freeradius-Users
>>>>> <freeradius-users at lists.freeradius.org> wrote:
>>>>>> winbind_username = "%{Stripped-User-Name}"
>>>>>> winbind_domain = "ITS.YORK.AC.UK"
>>>
>>>
>>> BTW, the default configuration is:
>>> winbind_username = "%{mschap:User-Name}"
>>>
>>> This pulls out the first fqdn component and appends a dollar sign at
>>> the end - so it may help.
>>
>>
>> FYI, I've just tested machine authentication (with samba git master)
>> using the default config of:
>> winbind_username = "%{mschap:User-Name}"
>> winbind_domain = "%{mschap:NT-Domain}"
>>
>> And it worked ok for both a computer from the local domain and one
>> from a child domain.
>>
>> I think it should work fine as long as DNS suffix of the machine
>> matches its domain (like: HOST/hostname.child.domain.com) as that's
>> how 'mschap:NT-Domain' guesses the domain name.
>> Otherwise, if you have mapping knowledge from DNS suffix to domain
>> names, then you can set 'winbind_domain' manually instead of using
>> 'mschap:NT-Domain', however leave 'winbind_username' set to
>> 'mschap:User-Name'.
>>
>> Otherwise, the only way I can think of to reliably lookup machine's
>> name and domain from its service-principal is using global catalog
>> service (in local domain).
>>
>> Example on my lab machine member of domain ACME.COM, and looking up a
>> service from child domain CDOM.ACME.COM, coming with DNS suffix of
>> 'local.net':
>>
>> $ ldapsearch -h wdc.acme.com -D administrator at ACME.COM -p 3268
>> servicePrincipalName=HOST/IEWIN7C.local.net sAMAccountName
>> distinguishedName msDS-PrincipalName canonicalName -W
>> # LDAPv3
>> # base <> (default) with scope subtree
>> # filter: servicePrincipalName=HOST/IEWIN7C.local.net
>> # requesting: sAMAccountName distinguishedName msDS-PrincipalName canonicalName
>>
>> dn: CN=IEWIN7C,CN=Computers,DC=CDOM,DC=acme,DC=com
>> distinguishedName: CN=IEWIN7C,CN=Computers,DC=CDOM,DC=acme,DC=com
>> sAMAccountName: IEWIN7C$
>> canonicalName: CDOM.acme.com/Computers/IEWIN7C
>> msDS-PrincipalName: CDOM\IEWIN7C$
>>
>>
>> HTH
More information about the Freeradius-Users
mailing list