Re: Machine-Authentication against SaMBa account in LDAP Directory
Hi members, @Joe: I use Version 3.0.22-13 of Samba. But I think the username that windows sends for Authentication with host account is controlled by the windows client. There I use a Win XP with SP2. @Phil: Thanks, this solution works great. So I can eliminate the second Request to the radius-Service caused by the Local-realm of the ntdomain host/. @Jacob: It seems to be a good work around, but it would increase the calls to LDAP directory, so i decided to use Phils suggestion. I solved the problem using the mschap module in the filter line of the LDAP paragraph that Phil suggested. Thanks a lot for your hints, simply great! Best regards - Christian ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Machine-Authentication against SaMBa account in LDAP Directory
Hi members, I have a problem with the name of hosts. Here is the situation: I have an LDAP Directory which is filled by samba-Deamon, for example with hosts that are added to my domain. Samba signs every host-account with a $ at the end. If my laptop would be named christian, the entry created by SaMBa in LDAP is christian$ Now I configured host authentication of windows Machines with freeradius. Windows machines are configured to answer with their host account and password. The windows machine christian answeres with the string host/christian als Username. I configured realm with proxy to cut away host/. So the current Username is christian. The username in LDAP is christian$ and so I added a $ sign in the following line of the radiusd.conf Change the line from : filter = (uid=%{Stripped-User-Name:-%{User-Name}}) to: filter = (uid=%{Stripped-User-Name:-%{User-Name}}$) This adds a $ sign to every User ID at the end. I can do authentication for all Hosts authenticate with their host account. The problem is, that I have no possibility to authenticate with a username that has no $ as last character. This is the case for all users exept host accounts. Do you have a hint for me, how I could add the $ sign at the end of hostnames, but not for normal users? Best regards Christian ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
in my experience, i have seen the hosts PASS their name as host/HOST$.domain.domain.domain what version of samba are you using? Christian Hohmann wrote: Hi members, I have a problem with the name of hosts. Here is the situation: I have an LDAP Directory which is filled by samba-Deamon, for example with hosts that are added to my domain. Samba signs every host-account with a $ at the end. If my laptop would be named christian, the entry created by SaMBa in LDAP is christian$ Now I configured host authentication of windows Machines with freeradius. Windows machines are configured to answer with their host account and password. The windows machine christian answeres with the string host/christian als Username. I configured realm with proxy to cut away host/. So the current Username is christian. The username in LDAP is christian$ and so I added a $ sign in the following line of the radiusd.conf Change the line from : filter = (uid=%{Stripped-User-Name:-%{User-Name}}) to: filter = (uid=%{Stripped-User-Name:-%{User-Name}}$) This adds a $ sign to every User ID at the end. I can do authentication for all Hosts authenticate with their host account. The problem is, that I have no possibility to authenticate with a username that has no $ as last character. This is the case for all users exept host accounts. Do you have a hint for me, how I could add the $ sign at the end of hostnames, but not for normal users? Best regards Christian ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
Christian Hohmann wrote: Hi members, I have a problem with the name of hosts. Here is the situation: I have an LDAP Directory which is filled by samba-Deamon, for example with hosts that are added to my domain. Samba signs every host-account with a $ at the end. If my laptop would be named christian, the entry created by SaMBa in LDAP is christian$ More recent versions of FreeRadius have an option in the mschap module to handle this - you can do: filter = (uid=%{mschap:User-Name:-%{User-Name}}) ...and the mschap module will strip the host/foo.bar to give foo$ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
Christan, You may be able to overcome / work around the problem by specifying a 2nd ldap module. Have one that appends the $ and checks and one that doesnt. On 5/9/07, Phil Mayers [EMAIL PROTECTED] wrote: Christian Hohmann wrote: Hi members, I have a problem with the name of hosts. Here is the situation: I have an LDAP Directory which is filled by samba-Deamon, for example with hosts that are added to my domain. Samba signs every host-account with a $ at the end. If my laptop would be named christian, the entry created by SaMBa in LDAP is christian$ More recent versions of FreeRadius have an option in the mschap module to handle this - you can do: filter = (uid=%{mschap:User-Name:-%{User-Name}}) ...and the mschap module will strip the host/foo.bar to give foo$ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html