On 27/02/2011 18:08, McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD computer-based
authentication. Basically, how is it accomplished?
I have Googled and Googled, but only found references to the fact that it
*can* be done (mostly from archives of this list), but little reference on
HOW to do it, other than that it has something to do with editing the
"realms" file. I also went to #freeradius on FreeNode, but it seemed there
was rarely anyone in the channel. So here I am.
I'm running FreeRADIUS 2.1.7 from the RHEL 5 RPM
(freeradius2-2.1.7-7.el5). It's running on an RHEL 5 virtual machine that
is a member of an AD domain via Samba 3.5.4 (which was required to talk to
the 2008R2 domain controllers). We have a multi-domain, single forest
environment.
I'm running two virtual servers, based on the defaults. I have the
"campus-main" virtual server that is pretty much the exact same as the
default, except that I have LDAP authentication enabled. This works
perfectly and is able to authenticate users for all domains. I also have
the "campus-eap" and "campus-inner-tunnel" virtual servers for EAP
authentication that are the same as the "default" and "inner-tunnel"
servers except for the names. (I copied them so I could make changes to
the "campus-XXX" virtual servers and still have the originals for reference.)
The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine
for all users in all domains (authenticated via ntlm_auth) EXCEPT for the
"host\\computer.domain.name" users (the computer accounts). I'd like to
make this work, partly because a large number of the failed login attempts
in my logs are from hosts that are valid domain members.
Sooo... help? What's the basic idea behind making this work?
Hi Justin,
Could you send us the output of radiusd -X for a computer auth?
If it works for users it should just work for machines.
You'll need to make sure you have samba > 3.0.23 [IIRC] [which you seem to
have] and your ntlm_auth line has to have an appropriately formatted
User-Name bit e.g. %{mschap:User-Name} (the mschap module will take
host\\computer.domain.name and turn it in to computer$ automatically).
-James
--
James J J Hooper
Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk http://www.jamesjj.net
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
