RE: [Samba] Winbind problem when exec freeradius
On Mon, 2005-05-16 at 20:03 +0200, Javier Jimenez wrote: > Now, I'found another problem, if I put a group with spaceblanks on my > ntlm_auth script on freeradius, cannot authenticate. It recognise just > the first word of the name. > Any idea about whatÂs happening? > Thanks! Likewise, FreeRadius is not calling a shell, so the splitting function is chewing on the string. The easy option is to change the name into a SID (S-123-456), and include that as the option. The FreeRadius list may be able to assist on how the quoting does or doesn't behave. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem when exec freeradius
Now, I'found another problem, if I put a group with spaceblanks on my ntlm_auth script on freeradius, cannot authenticate. It recognise just the first word of the name. Any idea about what´s happening? Thanks! -- Forwarded message -- From: Javier Jimenez <[EMAIL PROTECTED]> Date: 16-may-2005 12:42 Subject: Re: [Samba] Winbind problem when exec freeradius To: Andrew Bartlett <[EMAIL PROTECTED]> It works!! Thank you very much! Javi. 2005/5/16, Andrew Bartlett <[EMAIL PROTECTED]>: > On Mon, 2005-05-16 at 09:28 +0200, Javier Jimenez wrote: > > Hil list! > > I'm trying to authenticate Active Directory Users via freeradius. I > > can do it in a general case (user and domain) without > > problem. Now I have to do it restricting the authentication to the > > members of a group. > > > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=javi2 > > --require-membership-of='AAMM\MyGroup' --domain=AAMM > > --challenge=6b480cf181ded625 > > --nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21 > > [2005/05/16 09:05:57, 0] utils/ntlm_auth.c:get_require_membership_sid > > (237) > > Winbindd lookupname failed to resolve 'AAMM\MyGroup' into a SID! > > Looking at the source, the issue appears to be the quotes. FreeRadius > does not go via a shell, which means that the ' characters are not > stripped off. (The ntlm_auth source shows that this debug message is > printed without any quotes, which means you supplied them) > > > Does anybody know why could it be happening? Thanks in advance for any > > help!! > -- > Andrew Bartletthttp://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Student Network Administrator, Hawker College http://hawkerc.net > > > BodyID:76586272.2.n.logpart (stored separately) > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem when exec freeradius
On Mon, 2005-05-16 at 09:28 +0200, Javier Jimenez wrote: > Hil list! > I'm trying to authenticate Active Directory Users via freeradius. I > can do it in a general case (user and domain) without > problem. Now I have to do it restricting the authentication to the > members of a group. > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=javi2 > --require-membership-of='AAMM\MyGroup' --domain=AAMM > --challenge=6b480cf181ded625 > --nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21 > [2005/05/16 09:05:57, 0] utils/ntlm_auth.c:get_require_membership_sid > (237) > Winbindd lookupname failed to resolve 'AAMM\MyGroup' into a SID! Looking at the source, the issue appears to be the quotes. FreeRadius does not go via a shell, which means that the ' characters are not stripped off. (The ntlm_auth source shows that this debug message is printed without any quotes, which means you supplied them) > Does anybody know why could it be happening? Thanks in advance for any help!! -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind problem when exec freeradius
Hil list!
I'm trying to authenticate Active Directory Users via freeradius. I
can do it in a general case (user and domain) without
problem. Now I have to do it restricting the authentication to the
members of a group.
I can exect the script (as is put in radiusd.conf) correct from the
command line:
Deb:~# /usr/bin/ntlm_auth --username=javi2
--require-membership-of='AAMM\MyGroup' --domain=AAMM
password:
NT_STATUS_OK: Success (0x0)
Deb:~# /usr/bin/ntlm_auth --username=javi2
--require-membership-of='AAMM\OtherGroup' --domain=AAMM
password:
NT_STATUS_LOGON_FAILURE: Logon failure (0xc06d)
Deb:~#
So samba and winbind look to be correctly configured, but when radius
exect it, looks as if winbind couldn't resolve group's name.
My line on radiusd.conf is:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --require-membership-of='AAMM\\MyGroup'
--domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
And get the next logs:
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=javi2
--require-membership-of='AAMM\MyGroup' --domain=AAMM
--challenge=6b480cf181ded625
--nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21 '
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=javi2
--require-membership-of='AAMM\MyGroup' --domain=AAMM
--challenge=6b480cf181ded625
--nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21
[2005/05/16 09:05:57, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
Winbindd lookupname failed to resolve 'AAMM\MyGroup' into a SID!
Does anybody know why could it be happening? Thanks in advance for any help!!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
