> > [mschap] expand:
> --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->
> --username=host/dnps-caplap-4.col.missouri.edu
>
> That is not "%{mschap:User-Name}". i.e. it's misconfigured
Actually, I tried it both ways, since the longer string shown above was the
default.
> > [mschap] expand: --domain=%{mschap:NT-Domain} ->
> --domain=col
>
> Ah, yes. Now this I do remember. The %{mschap:NT-Domain} expansion
> assumes that in a host account of the form:
>
> host/username.domain.com
>
> ...the old-style short domain is "domain". Of course, this falls apart
> if you have a disjoint DNS/AD namespace:
>
> host/username.subdomain.domain.com
>
> ...or if your new-style DNS domain and old-style NT domain
> don't match:
>
> host/username.mycompany.com vs. NT domain of "CORP" -
> mycompany != CORP
And this is the case.
AD domain = col.missouri.edu
NT domain = UMC-USERS
> The only real solution in this case is to not use the
> %{mschap:NT-Domain} expansion - you can't, since there's not
> enough info to get the old-style short domain name in all cases.
>
> So, in /etc/raddb/modules/mschap, set (don't include the line
> continuation \ I've added):
>
> ntlm_auth = "/path/to/ntlm_auth --request-nt-key \
> --username=%{mschap:User-Name} --domain=YOURDOMAIN \
> --challenge=... --nt-response=..."
Good news:
Login OK: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port
573 cli 00-90-4B-2F-80-B4)
+- entering group post-auth {...}
++[exec] returns noop
} # server campus-eap
Sending Access-Accept of id 179 to 128.206.131.253 port 20009
Bad news:
I have a multi-domain environment. If I hard-code the domain in here, then
only users or hosts from that domain will be able to authenticate. How can I
make it recognize the others and behave correctly?
It's fine if I have to write some code using string matching and switch/case.
But I can't restrict access to only one domain.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
