On Tue, Feb 21, 2017 at 02:11:05PM +0900, YASUOKA Masahiko wrote:
> Hi,
>
> On Mon, 20 Feb 2017 11:38:19 +0100
> Patrick Wildt <patr...@blueri.se> wrote:
> > when using RADIUS, the NT domains should not be stripped from the
> > username.
>
> I suppose it depends on the use-case.
>
> npppd.conf(5) mentions "strip-nt-domain" is "yes" by default and
> adding "strip-nt-domain no" in "authentication <NAME> type radius"
> section of npppd.conf should be able to change that behavior.
>
> authentication RADIUS type radius {
> strip-nt-domain no
> authentication-server {
> :
>
> Doesn't this help?
>
> > When a base object is instantiated based on an auth object,
> > the "strip_nt_domain" variable is always enforced to zero in case of
> > using RADIUS. The auth object itself though has it set to one by
> > default.
> >
> > Now on configuration reload in npppd_auth_reload(), the value is copied
> > from the corresponding auth object to the base object.
> >
> > base->strip_nt_domain = auth->strip_nt_domain;
> >
> > Unfortunately in the case of RADIUS, this means that the RADIUS base
> > object gets overridden. So in that case reset it to zero like it's
> > done in npppd_auth_create().
>
> Thank you for pointing this out.
>
> Code in npppd_auth.c seems to be misleading. I'd like to make it
> clear that the default values always come from the configuration like
> below.
>
> diff --git a/usr.sbin/npppd/npppd/npppd_auth.c
> b/usr.sbin/npppd/npppd/npppd_auth.c
> index 101f8cc..11943c2 100644
> --- a/usr.sbin/npppd/npppd/npppd_auth.c
> +++ b/usr.sbin/npppd/npppd/npppd_auth.c
> @@ -75,8 +75,6 @@ npppd_auth_create(int auth_type, const char *name, void
> *_npppd)
> case NPPPD_AUTH_TYPE_LOCAL:
> if ((base = calloc(1, sizeof(npppd_auth_local))) != NULL) {
> base->type = NPPPD_AUTH_TYPE_LOCAL;
> - base->strip_nt_domain = 1;
> - base->strip_atmark_realm = 0;
> strlcpy(base->name, name, sizeof(base->name));
> base->npppd = _npppd;
>
> @@ -89,7 +87,6 @@ npppd_auth_create(int auth_type, const char *name, void
> *_npppd)
> if ((base = calloc(1, sizeof(npppd_auth_radius))) != NULL) {
> npppd_auth_radius *_this = (npppd_auth_radius *)base;
> base->type = NPPPD_AUTH_TYPE_RADIUS;
> - base->strip_nt_domain = 0;
> strlcpy(base->name, name, sizeof(base->name));
> base->npppd = _npppd;
> if ((_this->rad_auth_setting =
>
>
I like consistency, so this is better. While there, please adjust the
manpage, since it is wrong about strip-nt-domain's default value.
ok patrick@
diff --git a/usr.sbin/npppd/npppd/npppd.conf.5
b/usr.sbin/npppd/npppd/npppd.conf.5
index aef090ea45b..cdfb8331a97 100644
--- a/usr.sbin/npppd/npppd/npppd.conf.5
+++ b/usr.sbin/npppd/npppd/npppd.conf.5
@@ -569,7 +569,7 @@ removes the NT domain prefix,
such as '\e\eNTDOMAIN\e',
from the username before contacting the authentication server.
The default is
-.Dq no .
+.Dq yes .
.It Ic strip-atmark-realm Ar yes | no
Specify whether
.Xr npppd 8
