Hi all, I am trying to set up FreeRadius (1.09.5-1.2, bundled with Redhat FC5) to authenticate off of a Win2k3 server. I have tested the setup, and everything works fine. However, we run quite a large domain, and I would like to restrict access to users in appropriate groups. I can do that if I use the SID for the group, but not if I want to use the regular group name.
For example, the following will work when put in the MSCHAP module: ntlm_auth = "/usr/bin/ntlm_auth --require-membership-of=S-1-2-3-4 --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00)" However, when I use a Windows group, such as the following... ntlm_auth = "/usr/bin/ntlm_auth --require-membership-of='WKGRP/Wireless Users' --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00)" ...FreeRadius spits out the following error message: utils/ntlm_auth.c:get_require_membership_sid(237) Winbindd lookupname failed to resolve 'WKGRP\Wireless into a SID! What appears to be happening is that when Radius gets to the space in the group name, it jumps to the next argument in the line, disregarding the " Users'" part of the group. I've tried several different variations on escape characters, with no success. Just as further info, I have also been able to successfully run the ntlm_atuh program outside of radius with the offending command, and it works fine. What is the appropriate syntax to use when using long group names in the radiusd.conf file, or will I need to stick to using Windows SID numbers? Thanks for your time (and thought), Nathan Cable - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html