Using machine auth from a remote eduroam site

Isaac Boukris iboukris at gmail.com
Sat Mar 31 03:07:24 CEST 2018 

Hi,

On Fri, Mar 30, 2018 at 8:32 PM, Isaac Boukris <iboukris at gmail.com> wrote:
>> On 27 March 2018 at 03:05, Isaac Boukris <iboukris at gmail.com> wrote:
>>> On Mon, Mar 26, 2018 at 8:03 PM, Alex Sharaz via Freeradius-Users
>>> <freeradius-users at lists.freeradius.org> wrote:
>>>>         winbind_username = "%{Stripped-User-Name}"
>>>>         winbind_domain = "ITS.YORK.AC.UK"
>
>
> BTW, the default configuration is:
> winbind_username = "%{mschap:User-Name}"
>
> This pulls out the first fqdn component and appends a dollar sign at
> the end - so it may help.


FYI, I've just tested machine authentication (with samba git master)
using the default config of:
        winbind_username = "%{mschap:User-Name}"
        winbind_domain = "%{mschap:NT-Domain}"

And it worked ok for both a computer from the local domain and one
from a child domain.

I think it should work fine as long as DNS suffix of the machine
matches its domain (like: HOST/hostname.child.domain.com) as that's
how 'mschap:NT-Domain' guesses the domain name.
Otherwise, if you have mapping knowledge from DNS suffix to domain
names, then you can set 'winbind_domain' manually instead of  using
'mschap:NT-Domain', however leave 'winbind_username' set to
'mschap:User-Name'.

Otherwise, the only way I can think of to reliably lookup machine's
name and domain from its service-principal is using global catalog
service (in local domain).

Example on my lab machine member of domain ACME.COM, and looking up a
service from child domain CDOM.ACME.COM, coming with DNS suffix of
'local.net':

$ ldapsearch -h wdc.acme.com -D administrator at ACME.COM -p 3268
servicePrincipalName=HOST/IEWIN7C.local.net sAMAccountName
distinguishedName msDS-PrincipalName canonicalName -W
# LDAPv3
# base <> (default) with scope subtree
# filter: servicePrincipalName=HOST/IEWIN7C.local.net
# requesting: sAMAccountName distinguishedName msDS-PrincipalName canonicalName

dn: CN=IEWIN7C,CN=Computers,DC=CDOM,DC=acme,DC=com
distinguishedName: CN=IEWIN7C,CN=Computers,DC=CDOM,DC=acme,DC=com
sAMAccountName: IEWIN7C$
canonicalName: CDOM.acme.com/Computers/IEWIN7C
msDS-PrincipalName: CDOM\IEWIN7C$


HTH

More information about the Freeradius-Users mailing list