winbind / ntlm_auth funny
Alex Sharaz
alex.sharaz at york.ac.uk
Thu Jan 18 11:47:10 CET 2018
Hi,
I've been using winbindd for a long time to authenticate york users .. and
it "just works"
We now have a requirement to authenticate another relam via trust
relationship between our AD domain and theirs so
in mods-enabled
copy mschap machap {
...
}
into mschap mschap_hyms {
}
replace
winbind_username = "%{Stripped-User-Name}"
winbind_domain = "ITS.YORK.AC.UK"
with
winbind_username = "%{Stripped-User-Name}"
winbind_domain = "HYMS.AC.UK"
plus a few other bits to get inner-tunnel to call mschap_hyms as
appropriate
Then run eapol_test to perform an auth attempt and the HYMS AD controller
bounces the aut with a no such user request
Try
ntlm_auth --username=eduroamtest2 --domain=HYMS.AC.UK
and get the same no such user message
However, try
ntlm_auth --username=\eduroamtest2 --domain=HYMS.AC.UK
and get a success after entering a password.
Thought I'd go back to using ntlm_auth in my FR config for HYMS
So how do I prefix Stripped-user-name wtih a "\" in inner-tunnel ?
A
More information about the Freeradius-Users
mailing list