Using machine auth from a remote eduroam site
Alex Sharaz
alex.sharaz at york.ac.uk
Mon Mar 26 18:59:28 CEST 2018
Haven't gone near the samba config for a long long time. it all worked
so left well alone
I'll look at the wiki
A
On 26 March 2018 at 17:44, Adam Bishop <Adam.Bishop at jisc.ac.uk> wrote:
> On 26 Mar 2018, at 17:12, Alex Sharaz via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> I'm using winbindd on our Tier 1 FR servers. Guess I need to create
>> another mschap instance specifically for machine auths and point it at
>> another part of the AD tree.
>
> I have never gotten machine authentication to work so have no idea what I'm talking about, but would that be necessary?
>
> Unless you've written some samba config to change the behaviour, I believe ntlm_auth looks at the entire tree - ntlm_auth/libwbclient are happy to authenticate any valid user regardless of position in the tree.
>
> The wiki mentions an interesting snippet of information - it suggests you might need to send "00" as the username:
> http://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto#introduction_mods-available-mschap
>
> I'd also look suspiciously at how the backslashes are being handled (packet capture and see what's really being put on the wire?), and the docs by nt_domain_hack in rlm_preprocess, which suggest you may need to mangle the username.
>
> Adam Bishop
>
> gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
> Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list