Hi,
2009/6/2 <[email protected]> > why? with recent versions of FreeRADIUS this just works(tm) with no > rewriting needed > - just ensure that the ntlm_auth line has the correct arguments and > you have the ntdomain stuff turned on . > > I've tried, and can't make the default work. I've got three domains with users and machines in them. The default ntlm_auth line is fine for users, but it doesn't work for machines. If I leave --username=%{mschap:User-Name:-None} and --domain=%{mschap:NT-Domain:-DEFAULTDOMAIN} (obviously, default domain is moddified) in place then for users it's fine - the username and domain are filled in based on the details supplied by the MS supplicant. Machines fail though - even for machines that are in the "default domain". If I follow the logic as supplied by Neil, and remove the "--domain" option then this works fine for all users in all domains, and machines in same domain that winbind was joined to, but not machines from remote domains. If I leave the "--domain" option in, then as the "host/" username doesn't contain the netbios version of the domain then "%{mschap:NT-Domain} " is unknown and the default domain is filled in, and this seems to break all machine authentication... External Program returns "Logon failure". I can't really see anyway to resolve this, other than moddifing the ntlm_auth line based on some unlang logic to cut out the uk, us, and au bit from the "X.mycompany.local" supplied domain name in the "host/" username. Is this even possible though?? Am I overlooking something here? Thanks, Rupert
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
