On Jun 9, 2015, at 11:11 , [email protected] wrote: > > May be it would be helpful to test the pf installation at against “changing” > ADs (not just)INVERSE, because since 5.0 it is a pain in the a.. to get the > pf working against an own AD which is NOT called “INVERSE” (at least for a > dumbhead like me, it seems). “INVERSE” seems/seemed(?) to be hardcoded in > numerous places and neither the krb5.conf, nor the corresponding > winbind/samba config files looked like they should look like, if one compared > them to what the pf documentation says they should – for THAT Linux > distribution (eg. debian). > There is no need for n ADs, just two and the second just to make sure, there > are no “INVERSE specifics” hardcoded. The more “rudimentary” the second is, > the easier it is to see, that the “INVERSE” settings are not “templated” for > everyone. >
Hi Holger, As a follow up and so that others on the mailing list may follow, I am reposting what I just added to the github issue: I just did a clean debian 7 install. I configured two domains against two different AD DC, one on windows the other on samba4. The default test domain is pftest.org (no inverse). It works. I can't replicate your problem. Both ntlm_auth in chroots succeeds as well as 802.1x (tested with eapol_test). Note that the default domain indicated in files such as /chroot/$DOMAIN/etc/krb5.conf is not necessarily the one used to authenticate the user. So whether it is inverse.anything is not actually relevant. I would need to know more about what behaviour you are experiencing to help you. You are not stating whether ntlm_auth succeeds or not and for what domain. Actual configuration files and radius debugging output (freeradius -d /usr/local/pf/raddb/ -X ) would be helpful. Particularly the conf/realms.conf, conf/domains.conf, /chroot/domain/etc/krb5.conf /chroot/domain/samba/smb.conf for each domain. I am off to test on Ubuntu. Regards, -- Louis Munro [email protected] :: www.inverse.ca +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
