Holy crap, it works! I spent some time un-doing as many of the other changes
as I could find (that is, anything that deviates from the default and isn't
shown below). So what follows should be everything needed to make this work.
STEP 1: CUSTOM ATTRIBUTE
=========================
> My advice would be to define a local, internal-only attribute in
> /etc/raddb/dictionary:
> ATTRIBUTE My-NT-Domain 3003 string
This was done exactly as shown.
STEP 2: UPDATE MSCHAP MODULE TO USE CUSTOM ATTRIBUTE, IF SET
=============================================================
> > ntlm_auth = "... --domain=%{My-NT-Domain:-DEFAULTVALUE} ..."
This was modified slightly to preserve DOMAIN\USER authentication attempts.
Here's what I have working in /etc/raddb/modules/mschap (prettified with the
backslashes only for readability here):
ntlm_auth = "/usr/bin/ntlm_auth \
--request-nt-key \
--username=%{mschap:User-Name} \
--domain=%{My-NT-Domain:-%{mschap:NT-Domain}} \
--challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}"
Now this generates the following messages:
> [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
> for details
> [mschap] expand: --domain=%{My-NT-Domain:-umad.umsystem.edu} ->
> --domain=col.missouri.edu
So I changed it to use --domain=%{%{My-NT-Domain}:-%{mschap:NT-Domain}}. That
cleared up the warning messages. You can also set it to default to one domain
or another, or (I suppose) fall through both variables to a default domain. I
haven't bothered with this. Yet.
STEP 3: SET UP REGEX TO GRAB AD-STYLE DOMAIN NAME FOR HOST AUTH
================================================================
This part goes ONLY IN THE inner-tunnel VIRTUAL SERVER DEFINITION when doing
EAP authentication. At one time, I had these bits in both the outer and inner
virtual servers. In my case, I only care about EAP authentication, so I
reverted the outer tunnel to the defaults and made these changes to the
inner-tunnel virtual server. If you aren't doing EAP, or you aren't sure, you
can add this code to the outer virtual server without problems (as far as I can
tell).
Anyway, here's the code:
#
suffix
# ntdomain
# Match 'host', then a slash, then the computer name
# (stuff that's not a dot), then a dot.
# Grab everything after that and use it as the domain.
if ( User-Name =~ /host\/[^\.]+\.(.+)/ ) {
update request {
My-NT-Domain = "%{1}"
}
}
The "suffix" and "ntdomain" lines are shown for context, to show *where* I have
this code, and also to demonstrate that this works with the "ntdomain" part
commented out. Any shenanigans with THIS\THAT User-Name values are handled
correctly by mschap, so it's unnecessary to play with it here.
STEP 4: IT WORKS, BUT GOOD LORD, *WHY*?
========================================
IF IT'S A HOST ACCOUNT:
- Anything after the first "dot" in the computer's FQDN is pulled out
and assigned to the custom attribute My-NT-Domain.
- User-Name is still "host/COMPUTER.DOMAIN"
- My-NT-Domain is "DOMAIN"
- %{mschap:NT-Domain} is in a "don't care" state. My-NT-Domain
overrides it.
- ntlm_auth is called and My-NT-Domain is used for the --domain part,
since it has a value.
- It works!
IF IT IS NOT A HOST ACCOUNT:
- It is extremely unlikely that the User-Name variable will match
"host/foo.bar", so My-NT-Domain remains unset.
- With My-NT-Domain unset, ntlm-auth uses %{mschap:NT-Domain} instead,
which is what we were doing with only user accounts anyway.
- It works!
IF YOU LOGGED INTO A WINDOWS MACHINE USING A LOCAL ACCOUNT:
If it's XP, this isn't going to work. Even though the XP machine is a
member of the domain and has successfully authenticated, XP will switch over to
the user ID you used to log in. Since that's a local account, this will fail.
WORKAROUND (XP): You can go into "View Wireless Networks", select the
network, click "Connect". Wait a few seconds and a bubble will appear above
the systray prompting you for credentials. I used "DOMAIN\USER" format in the
"User" field, my password in the obvious place, and left the "Domain" field
blank. After that, whenever I logged in using that same local account, XP
cached my domain user's credentials for logging into the network.
WORKAROUND (Vista/Win7): I believe Windows Vista and newer can be
configured so that the computer does not try to re-authenticate upon user
login. That is, it can be made to log in using the AD host account and just
stay there forever, thus enabling the use of whatever local accounts you like.
I HAVE ONLY READ ABOUT THIS AND NEVER TESTED IT. I plan to work on this next.
I'll post my results, if no one else beats me to it.
Many thanks to everyone on the freeradius-users mailing list, including Alan,
Alan, and Phil for your insights on this. And anyone, please chime in if there
are any obvious pitfalls in this method or better ways to implement this short
of messing with the source code.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
