freerad...@corwyn.net wrote: > Having just followed all of those instructions to build out my > production systems, I have a few tweaks to fix all those little things > that drive one insane when following someone's instructions because they > never tested them.
Thanks. Here's a short review. > Note that the configuring of SAMBA, kerberos, and adding to the domain > should already be done as part of the default Linux install, see > h:\is\operating system\Linux\Guide_linux.doc This file is... ? > Verify that a user in the domain can be authenticated: > wbinfo -a user%password > Try the same login with the ntlm_auth program, which is what FreeRADIUS > will be using: > ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user > --password=password > /etc/raddb/radiusd.conf (see Appendix C) > > Update max_requests to # users * 256 That isn't necessary. It should be no more than "max request/s * max_request_time". > Add to the end of the auth listen {..} (to permit groups of clients) > clients = disambiguate > > Add to the end of the acct listen {..} (to permit groups of clients) > clients = disambiguate I don't understand why this is necessary. All it does is put the clients into a sub-section. There's no additional value or capabilities in doing this. > Since we're not using any of these methods for the Ciscos, in > authenticate{..} disable: chap, mschap, suffix, ntdomain, unix, pap > > Add to the end of the authorize{..} section: > ntlm_auth Or to the end of the "authenticate" section? > Note: The secret needs to match the secret set on the respective client. > Change the secret to an actual secret > > clients disambiguate { Again, there's no reason for this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html