On 02/03/11 12:09, McNutt, Justin M. wrote:
These look like MS-CHAP machine-auth usernames; have you considered
using:
%{mschap:User-Name} %{mschap:NT-Domain}
The mschap module has special handling for host/ names, and these
will expand:
host/name.domain.com
to:
name$ domain.com
The trailing dollar sign on the hostname is intentional; SAM
account names for machines conventionally end in $ in windows.
I'm aware of all of this. The problem is, it doesn't seem to be
actually working. Here's the ntlm_auth command I'm using:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
Note use of "%{mschap:User-Name}" and "%{mschap:NT-Domain}". Despite
this, "host/computer.domain" login attempts always fail. Hence,
trying to do the translation manually via a regex and update
clauses.
In the most recent debug I see you posted (16:36 yesterday) it's failing
because:
[eap] Request is supposed to be proxied to Realm $2. Not doing EAP.
++[eap] returns noop
...then later:
WARNING: You set Proxy-To-Realm = $2, but the realm does not exist!
Cancelling invalid proxy request.
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
You tried to use a regexp to parse the username (usually a mistake IMHO)
and put the "domain" bit into the "Proxy-To-Realm" attribute but
Proxy-To-Realm instructs the server to do just that - which cancels
local authentiction.
Reading back through the thread, it seems like there is some confusion
between "domain" in the Windows NT/Active Directory sense, and "domain"
as a "Realm", which is a concept used in Radius proxying.
I'm going to take a guess and assume you don't really need to do
proxying, and were just trying to use the "realm" module to strip off
the "host/...domain.com" bits, and have gotten a bit tangled.
Don't set "Realm" or "Proxy-To-Realm" unless you want the radius packet
to be sent to a different radius server.
Make sure you're using "%{mschap:User-Name}" everywhere that NT domain
usernames might exist - in the "ldap" module filter, for starters.
At this point, you may find it easier to revert to the default configs
and start from scratch, one change at a time and keeping the configs in
version control.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
