Using machine auth from a remote eduroam site

Alex Sharaz alex.sharaz at york.ac.uk
Mon Mar 26 19:03:18 CEST 2018 

Currently using

        winbind_username = "%{Stripped-User-Name}"
        winbind_domain = "ITS.YORK.AC.UK"

No ntlm_auth in sight ... must check what stripped username  has in it
for username of the form host/........

A

On 26 March 2018 at 17:59, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:
> Haven't gone near the samba config for a long long time. it all worked
> so left well alone
>
> I'll look at the wiki
> A
>
> On 26 March 2018 at 17:44, Adam Bishop <Adam.Bishop at jisc.ac.uk> wrote:
>> On 26 Mar 2018, at 17:12, Alex Sharaz via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>> I'm using winbindd on our  Tier 1 FR servers. Guess I need to create
>>> another mschap instance specifically for machine auths and point it at
>>> another part of the AD tree.
>>
>> I have never gotten machine authentication to work so have no idea what I'm talking about, but would that be necessary?
>>
>> Unless you've written some samba config to change the behaviour, I believe ntlm_auth looks at the entire tree - ntlm_auth/libwbclient are happy to authenticate any valid user regardless of position in the tree.
>>
>> The wiki mentions an interesting snippet of information - it suggests you might need to send "00" as the username:
>>   http://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto#introduction_mods-available-mschap
>>
>> I'd also look suspiciously at how the backslashes are being handled (packet capture and see what's really being put on the wire?), and the docs by nt_domain_hack in rlm_preprocess, which suggest you may need to mangle the username.
>>
>> Adam Bishop
>>
>>   gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460
>>
>> jisc.ac.uk
>>
>> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>
>> Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list