Re: Machine-Authentication against SaMBa account in LDAP Directory
Hi members, @Joe: I use Version 3.0.22-13 of Samba. But I think the username that windows sends for Authentication with host account is controlled by the windows client. There I use a Win XP with SP2. @Phil: Thanks, this solution works great. So I can eliminate the second Request to the radius-Service caused by the Local-realm of the ntdomain host/. @Jacob: It seems to be a good work around, but it would increase the calls to LDAP directory, so i decided to use Phils suggestion. I solved the problem using the mschap module in the filter line of the LDAP paragraph that Phil suggested. Thanks a lot for your hints, simply great! Best regards - Christian ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Machine-Authentication against SaMBa account in LDAP Directory
Hi members,
I have a problem with the name of hosts. Here is the situation:
I have an LDAP Directory which is filled by samba-Deamon, for example with
hosts that are added to my domain. Samba signs every host-account with a $ at
the end. If my laptop would be named christian, the entry created by SaMBa in
LDAP is christian$
Now I configured host authentication of windows Machines with freeradius.
Windows machines are configured to answer with their host account and password.
The windows machine christian answeres with the string host/christian als
Username. I configured realm with proxy to cut away host/. So the current
Username is christian.
The username in LDAP is christian$ and so I added a $ sign in the following
line of the radiusd.conf
Change the line from : filter = (uid=%{Stripped-User-Name:-%{User-Name}})
to: filter = (uid=%{Stripped-User-Name:-%{User-Name}}$)
This adds a $ sign to every User ID at the end. I can do authentication for all
Hosts authenticate with their host account.
The problem is, that I have no possibility to authenticate with a username that
has no $ as last character. This is the case for all users exept host accounts.
Do you have a hint for me, how I could add the $ sign at the end of hostnames,
but not for normal users?
Best regards
Christian
___
SMS schreiben mit WEB.DE FreeMail - einfach, schnell und
kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
in my experience, i have seen the hosts PASS their name as
host/HOST$.domain.domain.domain what version of samba are you using?
Christian Hohmann wrote:
Hi members,
I have a problem with the name of hosts. Here is the situation:
I have an LDAP Directory which is filled by samba-Deamon, for example with
hosts that are added to my domain. Samba signs every host-account with a $
at the end. If my laptop would be named christian, the entry created by SaMBa
in LDAP is christian$
Now I configured host authentication of windows Machines with freeradius.
Windows machines are configured to answer with their host account and
password. The windows machine christian answeres with the string
host/christian als Username. I configured realm with proxy to cut away
host/. So the current Username is christian.
The username in LDAP is christian$ and so I added a $ sign in the following
line of the radiusd.conf
Change the line from : filter = (uid=%{Stripped-User-Name:-%{User-Name}})
to: filter = (uid=%{Stripped-User-Name:-%{User-Name}}$)
This adds a $ sign to every User ID at the end. I can do authentication for
all Hosts authenticate with their host account.
The problem is, that I have no possibility to authenticate with a username
that has no $ as last character. This is the case for all users exept host
accounts.
Do you have a hint for me, how I could add the $ sign at the end of
hostnames, but not for normal users?
Best regards
Christian
___
SMS schreiben mit WEB.DE FreeMail - einfach, schnell und
kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
Christian Hohmann wrote:
Hi members,
I have a problem with the name of hosts. Here is the situation: I
have an LDAP Directory which is filled by samba-Deamon, for example
with hosts that are added to my domain. Samba signs every
host-account with a $ at the end. If my laptop would be named
christian, the entry created by SaMBa in LDAP is christian$
More recent versions of FreeRadius have an option in the mschap module
to handle this - you can do:
filter = (uid=%{mschap:User-Name:-%{User-Name}})
...and the mschap module will strip the host/foo.bar to give foo$
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
Christan,
You may be able to overcome / work around the problem by specifying a
2nd ldap module. Have one that appends the $ and checks and one that
doesnt.
On 5/9/07, Phil Mayers [EMAIL PROTECTED] wrote:
Christian Hohmann wrote:
Hi members,
I have a problem with the name of hosts. Here is the situation: I
have an LDAP Directory which is filled by samba-Deamon, for example
with hosts that are added to my domain. Samba signs every
host-account with a $ at the end. If my laptop would be named
christian, the entry created by SaMBa in LDAP is christian$
More recent versions of FreeRadius have an option in the mschap module
to handle this - you can do:
filter = (uid=%{mschap:User-Name:-%{User-Name}})
...and the mschap module will strip the host/foo.bar to give foo$
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
