-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Alexander, List,
I followed the steps on that blog post, however I am unable to
retrieve the ipaNTHash attribute either as that service account, nor
as the admin.
Am I missing something?
ldapsearch -Y GSSAPI uid=admin ipaNTHash
SASL/GSSAPI authentication started
SASL username: radius/edurad2.foo@foo.bar
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base dc=foo,dc=bar (default) with scope subtree
# filter: uid=admin
# requesting: ipaNTHash
#
# admin, users, compat, foo.bar
dn: uid=admin,cn=users,cn=compat,dc=foo,dc=bar
# admin, users, accounts, foo.bar
dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=bar
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
ldapsearch -Y GSSAPI uid=admin ipaNTHash
SASL/GSSAPI authentication started
SASL username: ad...@foo.bar
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base dc=foo,dc=bar (default) with scope subtree
# filter: uid=admin
# requesting: ipaNTHash
#
# admin, users, compat, foo.bar
dn: uid=admin,cn=users,cn=compat,dc=foo,dc=bar
# admin, users, accounts, foo.bar
dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=bar
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
Thanks,
Bill Graboyes
On 7/21/15 11:16 AM, Alexander Bokovoy wrote:
On Mon, 20 Jul 2015, William Graboyes wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512
Hi List,
I have run into a snag, I figured I would start here and move
forward. I have been searching around for the past 3 or 4 hours
looking for some solution to this the issue that I am having.
We are doing 802.1x against our freeipa servers. While Kerberos
auth is working perfectly fine (when used from an android or
linux device) however when it comes to Macs (they strive to be
different -_-) when using EAP-TTLS (which everything else is
perfectly happy to use chap or pap) Mac only uses mschapv2 when
using EAP-TTLS.
I don't have an active directory to run against, nor do I have
samba services running (why would I, there are a total of 5
windows boxes in the entire environment.
I was wondering if there was some form of a FreeIPA solution to
this form of problem (something I may be missing) that will
handle the NTLM auth on a linux system.
I have found some things that are brutishly old, like kcrap, but
nothing seems to fit the bill. I am not against installing
samba somewhere (even on the radius servers) to handle this form
of authentication, I am just no sure which direction to go for
handling this form of auth against FreeIPA. I would much prefer
to use PAM or Kerberos, it just doesn't look like that is going
to work in this situation.
Check this blog post: http://firstyear.id.au/entry/22
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJVrqt4AAoJEJFMz73A1+zrskwP/iBNfTH1TpoZFWITf8xlCheO
7Yk99V1/4gGgFttc1V92OMRDAHVHvD5B2apqPRd6ObWVd5sdFzfjVNWGNzLp8/N8
HkxSezd4BiNZCagVQXCdbr26ATSI/jTD2exEchpUPv1UtH2snId/1ZaCyFu3Cj0h
OuY+AVJc93WE0VlpY0N+drhr5aNb6CKZ3lTyvxVJ8FaLND6Pb5quFOP//S1SCqJl
QVO5V5hi0IAYZ/f+eZG4Z6ZtF2n5TYaqYD3sax8khdIqpSL4q28TvGUcAAOa3DmX
cg3sV+a2foB/Al9stzQ4Qo9i48JlesjOZMX6JfmpBzMXxCItnz3ArnWyIwAFa2xF
f9BnFzq5zqdx94Ee5nDiLiiisn8uHkUlzNx4HbKSQ60ulSWih2S/qDyFNxN0O59c
bn8MLxATUiDMGhJ4dgljxs8ZRuzh97z7B2MhMRHVjlo8oIWvjOpDJ+9I7GzUZrtO
rS4r78adYwLBcXsaOFlC+ZSeirH1muD6Lx/s+/znaCWHE54a6MONhrA3wSSM73qk
Czv+y5qG09QJJEztDWTVU8dhsCnXnd/5AUXhsscBc8lNqma3eCmnpOK1ngmLQwxt
8RP5ijK1J7sdAald5TW/buN1tHQH3H8vzYbL0r/GdVTsnfp2NXh9NuZJsFVL7Db1
h9cMHUo4NzVwAxcWP5jS
=x9GB
-END PGP SIGNATURE-
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project