Efficient AD group matching via the new wbclient interface

Matthew Newton mcn at freeradius.org
Tue Feb 13 15:49:35 CET 2018


On Tue, 2018-02-13 at 09:07 -0500, Alan DeKok wrote:
> On Feb 10, 2018, at 10:22 AM, Isaac Boukris <iboukris at gmail.com>
> wrote:
> > I am working on improving AD group matching for mschap
> > authentication,
> > taking advantage of the new wbclient direct interface which returns
> > the user's token (including group membership SIDs) as part of NTLM
> > authentication.
> > 
> > Work in progress:
> > https://github.com/frenche/freeradius-server/commit/9af7dfd634a251f
> > 68b07064603ccbbca308492bf
> 
>   It looks good.

Yes, it's good to use the SIDs that are returned from
wbcCtxAuthenticateUserEx as you get them for free, rather than having
to query winbindd for them again.

I'm not sure why you're creating AD-Group-SID in the outer - just
create it in the current virtual server lists, and let the admin copy
it to the outer if they need to using unlang.

> > I'm now thinking on how to implement the caching of group-name to
> > SID
> > mapping with configurable timeout, ideally using existing interface
> > -
> > ideas welcome.
> 
>   The "cache" module should be able to do that.  My $0.02 is to just
> create the mappings, and let the rest of the policies decide what to
> cache (or not).

Sounds sensible to me.

> > @mcnewton, I noticed at last there is a similar group-compare
> > function
> > in v4 branch, though I think the two actually can complete each
> > other.
> 
>   I'd like Matthew's comments, too.

I'm not sure if the same caveat applies to this as to using
wbcCtxGetGroups; probably worth checking this reply:

https://lists.samba.org/archive/samba-technical/2016-November/116996.ht
ml

I'd imagine it is the same.

The good thing about your method is that you can /only/ use it after
authentication, so that forces the data to be recent, at least.

It also really needs to compare group names, and make SIDs the
secondary comparison method. Names are nice and easy for admins, SIDs
are things that should generally stay hidden.

-- 
Matthew



More information about the Freeradius-Users mailing list