On 27 Feb 2013, at 2:26 PM, Andrew Bartlett wrote: > On Wed, 2013-02-27 at 12:17 +0800, Kinglok, Fong wrote: >> In fact, I have tried using NTLM already. >> >> I have successfully setup winbind bundled with Samba 4, including the steps >> to join Samba 4 as member server and start up winbindd as daemon. >> >> However, I encounter two difficulties with using NTLM to authenticate >> freeradius to Samba 4. >> - I have to run freeradius as root in order to read output from winbindd. >> Even I change the permission / ownership of >> /usr/local/samba/var/run/winbindd to freerad. It still cannot work! > > You need to change the winbind_privileged directory, not the winbindd > directory. The group ownership of this directory should be a group that > servers doing NTLM authentication (such as squid, apache, pptpd and > freeradius) are in. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > >
Thank you all for giving me the hint! I have solved the problem by making use of ntlm_auth and with group support by 1. change the permission of the winbindd folder chgrp freerad /usr/local/samba/var/locks/winbindd_privileged (freerad is the user to run freeradius) 2. edit the file /usr/local/freeradius/etc/raddb/modules/mschap ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=MYDOMAIN\\Certain_Group" (Pay attention to the double back slashes and restart the freeradius) However, I am still very eager to authenticate user with using ldap directly. I cannot fix it as the freeradius log complain: (I have tried binding the samba ac with administrator) 2013-02-28 00:19:32.393910500 [ldap] performing user authorization for peter 2013-02-28 00:19:32.394014500 [ldap] expand: %{Stripped-User-Name} -> 2013-02-28 00:19:32.394016500 [ldap] ... expanding second conditional 2013-02-28 00:19:32.394018500 [ldap] expand: %{User-Name} -> peter 2013-02-28 00:19:32.394020500 [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=peter) 2013-02-28 00:19:32.394022500 [ldap] expand: ou=Accounting,dc=samdom,dc=org -> ou=Accounting,dc=samdom,dc=org 2013-02-28 00:19:32.394123500 [ldap] ldap_get_conn: Checking Id: 0 2013-02-28 00:19:32.394125500 [ldap] ldap_get_conn: Got Id: 0 2013-02-28 00:19:32.394127500 [ldap] performing search in ou=Accounting,dc=samdom,dc=org, with filter (sAMAccountName=peter) 2013-02-28 00:19:32.395423500 [ldap] looking for check items in directory... 2013-02-28 00:19:32.395426500 [ldap] looking for reply items in directory... 2013-02-28 00:19:32.395427500 WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? 2013-02-28 00:19:32.395430500 [ldap] user peter authorized to use remote access Any hint? Kinglok, Fong -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba