Actually it's because we have nested groups in the Universal group. If I use an account that it is in the base group list, it works, but if I use an account that it is in a group that is in the Universal group, it doesn't work.
Still the solution looks to having to do a LDAP lookup(s). -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: [email protected] > -----Original Message----- > From: Johnson, Neil M > Sent: Friday, October 01, 2010 10:02 AM > To: Johnson, Neil M; Mike McCauley > Cc: [email protected] > Subject: RE: [RADIATOR] Authby LSA and groups not working (redux) > > Okay, > > I think I may have found the issue. > > The group I'm trying to query is a Active Directory "Universal" Group. > If I query a "Global" group it works. > > It appears that Win32::NetAdmin does not support "Universal" Groups and > that the only solution is to perform an LDAP or ADSI query. > > -Neil > > > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > Work: 319 384-0938 > Mobile: 319 540-2081 > Fax: 319 355-2618 > E-mail: [email protected] > > > > -----Original Message----- > > From: [email protected] [mailto:radiator- > > [email protected]] On Behalf Of Johnson, Neil M > > Sent: Friday, October 01, 2010 8:46 AM > > To: Mike McCauley > > Cc: [email protected] > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > > > Mike, > > > > I'm running with my domain account (which has Administrator > privileges) > > on the server with the "Act as part of the operating system" flag > set. > > > > Authentication works as long as I don't use a "Group" Directive. > > > > I'm not sure how to proceed in debugging this. > > > > -Neil > > > > > > -- > > Neil Johnson > > Network Engineer > > Information Technology Services > > The University of Iowa > > Work: 319 384-0938 > > Mobile: 319 540-2081 > > Fax: 319 355-2618 > > E-mail: [email protected] > > > > > > > -----Original Message----- > > > From: Mike McCauley [mailto:[email protected]] > > > Sent: Thursday, September 30, 2010 7:03 PM > > > To: Johnson, Neil M > > > Cc: [email protected] > > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > > > > > Hello Neil, > > > > > > On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote: > > > > No, I'm running it on a member server. > > > > > > > > Our AD administrators are very reluctant to run applications on > > PDC's > > > and > > > > BDC's. I can ask but I don't think I will get permission. > > > > > > > > Will it work on a BDC ? > > > > > > > > If not, do I have any other options ? Currently I'm using > Radiator > > to > > > proxy > > > > 802.1X requests to Juniper Steel-Belted Radius in order to re- > write > > > VLAN > > > > attributes. I was kind of hoping to eliminate SBR in part to > > simplify > > > > support for Eduroam. > > > > > > Tests here show that it works OK on any domain member provided that > > the > > > user > > > who is running the script is logged in to the domain. > > > > > > Cheers. > > > > > > > > > > > Thanks. > > > > > > > > -Neil > > > > > > > > -- > > > > Neil Johnson > > > > Network Engineer > > > > Information Technology Services > > > > The University of Iowa > > > > Work: 319 384-0938 > > > > Mobile: 319 540-2081 > > > > Fax: 319 355-2618 > > > > E-mail: [email protected] > > > > > > > > > > > > -----Original Message----- > > > > From: [email protected] [mailto:radiator- > > > [email protected]] On > > > > Behalf Of Mike McCauley Sent: Wednesday, September 29, 2010 9:22 > PM > > > > To: [email protected] > > > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > > > > > > > Hello Neil, > > > > > > > > tests here show that your script (suitably modified) works > provided > > > you run > > > > it on the PDC as the administrator. > > > > > > > > Is that how you are testing? > > > > > > > > Cheers. > > > > > > > > On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote: > > > > > I whipped up a script based on what I could find in the source > > code > > > to > > > > > test group membership and it doesn't seem to matter if the > group > > is > > > local > > > > > or global, it can't find it: > > > > > > > > > > #!c:\perl64\bin\perl.exe > > > > > > > > > > use strict; > > > > > use Win32::NetAdmin; > > > > > > > > > > my $User = "nmjoo"; > > > > > my $Group = "ITS-WIRELESS"; > > > > > my $Domain = "IOWA"; > > > > > my $Server = ""; > > > > > > > > > > print "Getting Domain Controller\n"; > > > > > Win32::NetAdmin::GetDomainController ("", $Domain, $Server); > > > > > print "Domain Controller for Domain $Domain is $Server\n"; > > > > > > > > > > print "Checking to see if user: $User is member of Group: > > > $Group\n"; > > > > > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User) > > > > > > > > > > || Win32::NetAdmin::LocalGroupIsMember($Server, > > > $Group, > > > > > || $User)) { > > > > > > > > > > print "$User is Member of group $Group"; > > > > > } > > > > > else { > > > > > print "$User is not Member of group $Group"; > > > > > } > > > > > > > > > > Output: > > > > > > > > > > C:\Program Files\Radiator>test2.pl > > > > > Getting Domain Controller > > > > > Domain Controller for Domain IOWA is \\IOWADC1 > > > > > Checking to see if user: nmjoo is member of Group: ITS-WIRELESS > > > > > nmjoo is not Member of group ITS-WIRELESS > > > > > C:\Program Files\Radiator> > > > > > -- > > > > > Neil Johnson > > > > > Network Engineer > > > > > Information Technology Services > > > > > The University of Iowa > > > > > Work: 319 384-0938 > > > > > Mobile: 319 540-2081 > > > > > Fax: 319 355-2618 > > > > > E-mail: [email protected] > > > > > > > > > > > > -- > > > Mike McCauley [email protected] > > > Open System Consultants Pty. Ltd > > > 9 Bulbul Place Currumbin Waters QLD 4223 Australia > > > http://www.open.com.au > > > Phone +61 7 5598-7474 Fax +61 7 5598-7070 > > > > > > Radiator: the most portable, flexible and configurable RADIUS > server > > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, > Emerald, > > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, > > TLS, > > > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > > > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > > > NetWare etc. > > _______________________________________________ > > radiator mailing list > > [email protected] > > http://www.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
