> I think you'll have to do that. The tedious bit is matching
> the domains in the regexps.
>
> My advice would be to define a local, internal-only attribute in
> /etc/raddb/dictionary:
>
> ATTRIBUTE My-NT-Domain 3003 string
Done.
> ...then in your ntlm_auth helper, do:
>
> ntlm_auth = "... --domain=%{My-NT-Domain:-DEFAULTVALUE} ..."
Done. Works:
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[mschap] expand: --domain=%{My-NT-Domain:-umad.umsystem.edu} ->
--domain=umad.umsystem.edu
(We'll get back to that "deprecated conditional" part later, assuming it's not
part of the problem.)
> ...and set this in your regexps:
>
> if (User-Name =~ /host[/].+[.]domain.com/) {
> update request {
> My-NT-Domain = "DOMAIN.COM"
> }
> }
> elsif (...) {
> }
I had this whole long e-mail about how it wasn't working yet the way I expected
and wasn't matching all the time and blah blah blah. I was copying some more
stuff out of the debug output to paste in here when I saw this:
Sending tunneled request
EAP-Message =
0x0208002801686f73742f646e70732d6361706c61702d342e636f6c2e6d6973736f7572692e656475
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "host/dnps-caplap-4.col.missouri.edu"
server campus-inner-tunnel {
+- entering group authorize {...}
... "campus-inner-tunnel" ... I'm working on the wrong virtual server! I
mean, the variables were getting matched and modified, but only on the outer
tunnel (campus-eap)! Curses!
So I moved (*moved*, not *copied*) the "if User-Name =~ /stuff/" block to the
'campus-inner-tunnel' virtual server's config just after the "suffix" and
"ntdomain" items are called, and bingo! My-NT-Domain is set correctly and the
host is able to get in.
NOTE: This successful test was done AFTER the output you see above that
references "umad.umsystem.edu". The domain "umad.umsystem.edu" is a valid
domain here, but there are no computers in it. I was using that domain so I
could see if the expansion was working, not getting modified, or what. It also
means that it won't work by accident due to my defaults. It all has to work or
it breaks. So I now KNOW that this stuff you guys have been helping me set up
works THE WAY WE ALL THINK IT SHOULD, not just by accident. Totally awesome.
I may set up the eventual production box to have a more tolerant default, but
this was perfect for testing. We'll see.
Anyway, now that this part is working, I'm going to double-check that I haven't
now broken user-based auth. If not, I'm going to try to re-write the pattern
match to actually pull the domain name out as %{1} so it works for all domains
using one bit of code, rather than hard-coding in every domain I deem as
"valid".
Whatever it ends up working, I'll respond back to the list, since it sounds
like at least one other person was interested in making this work soon.
Thanks very much for all the help, everyone. This has been enlightening.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
