(RADIATOR) Réf. : Re: (RADIATOR) Trying to get Windows Group membership working in AuthLSA

Michel Lapointe MLapointe at jeancoutu.com
Tue Jul 6 23:12:42 CDT 2004


Here are more informations:

I do not have lot of experience with perl (in fact its my first look at
it), but I did some digging into the code and Internet and found the
following situation for the Windows Group support.

First, Win32::NetAdmin::GroupIsMember(server, name, user) does not support
domain\username form for the user parameter.  So the "domain\" part should
always be strip off.

Second, Win32::NetAdmin::GroupIsMember(server, name, user) require the
server parameter which cannot be a domain name.  So if DomainController is
not specified in the config file, the code should try to find the
appropriate server (maybe using Win32::NetAdmin::GetDomainController) based
on the appropriate domain.  Obviously, for performance, it should not have
to lookup a DC for a specific domain for every request.  So there should be
a sort of caching involve.

I guest that the code that is needed to support all the possible scenarios
is not that simple.

Thanks

Michel Lapointe
The Jean Coutu Group (PJC) inc.



|---------+--------------------------->
|         |           "Michel         |
|         |           Lapointe"       |
|         |           <MLapointe at jeanc|
|         |           outu.com>       |
|         |           Envoyé par :    |
|         |           owner-radiator at o|
|         |           pen.com.au      |
|         |                           |
|         |                           |
|         |           2004-07-06 20:55|
|         |                           |
|---------+--------------------------->
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                                                  |
  |        Pour :   "radiator at open.com.au" <radiator at open.com.au>                                                                                    |
  |        cc :                                                                                                                                      |
  |        Objet :  Re: (RADIATOR) Trying to get Windows Group membership working in AuthLSA                                                         |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|




Hi,

I did a number of tests and I  finally got it to work.  But not exactly how
I would like it.  Here are two observations:

1. The Group feature need the DomainController to be present.
2. When the Group feature is in use, I can no longer specify the domain
before the username (ie.: "domain\user") to authenticate.

These observations may be wrong but this is how it behave on my systems.
The first one is important for us because we are in a High availability
environment and we must not specify a single static domain controller
unless we can specify more than one (can we?).  The second one is also
important because we are using more than one domain and we must allow
inter-domain authentication.

Thanks

Michel Lapointe
The Jean Coutu Group (PJC) inc.



|---------+--------------------------->
|         |           Hugh Irvine     |
|         |           <hugh at open.com.a|
|         |           u>              |
|         |                           |
|         |           2004-07-06 19:34|
|         |                           |
|---------+--------------------------->
  >
--------------------------------------------------------------------------------------------------------------------------------------------------|

  |
|
  |        Pour :   "Michel Lapointe" <MLapointe at jeancoutu.com>
|
  |        cc :     "radiator at open.com.au" <radiator at open.com.au>
|
  |        Objet :  Re: (RADIATOR) Trying to get Windows Group membership
working in AuthLSA
|
  >
--------------------------------------------------------------------------------------------------------------------------------------------------|





Salut Michel -

Here is the relevant code from "Radius/AuthLSA.pm":

#####################################################################
# Check if the user is in the global group
sub userIsInGroup
{
     my ($self, $user, $group) = @_;

     require Win32::NetAdmin;
     import Win32::NetAdmin;

     return Win32::NetAdmin::GroupIsMember($self->{DomainController},
$group, $user);
}


You can only specify a global group for checking.

regards

Hugh


On 7 Jul 2004, at 00:10, Michel Lapointe wrote:

> Hi,
>
> I'm evaluating Radiator 3.9 with all patches on Windows 2000 Server sp4
> (member server).  I'm trying to use the new Windows Group Membership
> feature but it does not seam to work.
>
> If I don't specify any Group, I can successfully authenticate both
> Local
> users (test) and Domain users (domain\test).  So the LSA
> authentication is
> working fine.  If I specify a Group, then I receive "Access rejected
> for
> test:  AuthBy LSA User is not a member of any Group".  I tried to use
> local
> group (locally on the server) or Global (Domain) Group without success.
>
> Here is my config:
>
> Foreground
> LogStdout
> LogDir            c:/Program Files/Radiator
> DbDir       c:/Program Files/Radiator
>
> Trace             5
>
> <Client DEFAULT>
>       Secret      mysecret
>       DupInterval 0
> </Client>
>
> <Realm DEFAULT>
>       <AuthBy LSA>
>             Group TestGroup
>             Group Users
>       </AuthBy>
> </Realm>
>
> And the debug:
>
> Tue Jul  6 08:56:17 2004: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 1466 ....
>
> Packet length = 90
> 01 3d 00 5a 31 32 33 34 35 36 37 38 39 30 31 32
> 33 34 35 36 01 06 74 65 73 74 06 06 00 00 00 02
> 04 06 cb 3f 9a 01 05 06 00 00 04 d2 1e 0b 31 32
> 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33
> 32 31 3d 06 00 00 00 00 02 12 c8 b9 6c 99 9a 6a
> 33 ce bc 38 09 a0 d8 7d 78 99
> Code:       Access-Request
> Identifier: 61
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "test"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password
> = "<200><185>l<153><154>j3<206><188>8<9><160><216>}x<153>"
>
>
> Tue Jul  6 08:56:17 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Jul  6 08:56:17 2004: DEBUG:  Deleting session for test,
> 203.63.154.1,
> 1234
> Tue Jul  6 08:56:17 2004: DEBUG: Handling with Radius::AuthLSA:
> Tue Jul  6 08:56:17 2004: DEBUG: Radius::AuthLSA looks for match with
> test
> Tue Jul  6 08:56:17 2004: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
> User is
> not a member of any Group
> Tue Jul  6 08:56:17 2004: INFO: Access rejected for test: AuthBy LSA
> User
> is not a member of any Group
> Tue Jul  6 08:56:17 2004: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1466 ....
>
> Packet length = 36
> 03 3d 00 24 dd 31 ca 56 f2 e2 1b 8e 89 66 3a 06
> 1b 34 45 47 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:       Access-Reject
> Identifier: 61
> Authentic:  1234567890123456
> Attributes:
>         Reply-Message = "Request Denied"
>
>
> Thanks
>
> Michel Lapointe
> The Jean Coutu Group (PJC) inc.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.






--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.





--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list