(RADIATOR) Réf. : Re: (RADIATOR) Trying to get Windows Group membership working in AuthLSA

Mike McCauley mikem at open.com.au
Wed Jul 7 19:07:14 CDT 2004


Hello Michel,

Thanks for reporting this issue.
We have now issued a patch that should fix this problem.

In AuthBy LSA, If Group is required
    and DomainController
    is not specified, it will now attempt to find the domain controller
    based on the users domain. 

The patch is available in the Radiator 3.9 patches area.

Cheers.


On Wed, 7 Jul 2004 02:12 pm, Michel Lapointe wrote:
> Here are more informations:
>
> I do not have lot of experience with perl (in fact its my first look at
> it), but I did some digging into the code and Internet and found the
> following situation for the Windows Group support.
>
> First, Win32::NetAdmin::GroupIsMember(server, name, user) does not support
> domain\username form for the user parameter.  So the "domain\" part should
> always be strip off.
>
> Second, Win32::NetAdmin::GroupIsMember(server, name, user) require the
> server parameter which cannot be a domain name.  So if DomainController is
> not specified in the config file, the code should try to find the
> appropriate server (maybe using Win32::NetAdmin::GetDomainController) based
> on the appropriate domain.  Obviously, for performance, it should not have
> to lookup a DC for a specific domain for every request.  So there should be
> a sort of caching involve.
>
> I guest that the code that is needed to support all the possible scenarios
> is not that simple.
>
> Thanks
>
> Michel Lapointe
> The Jean Coutu Group (PJC) inc.
>
> |---------+--------------------------->
> |
> |         |           "Michel         |
> |         |           Lapointe"       |
> |         |           <MLapointe at jeanc|
> |         |           outu.com>       |
> |         |           Envoyé par :    |
> |         |           owner-radiator at o|
> |         |           pen.com.au      |
> |         |
> |         |
> |         |           2004-07-06 20:55|
> |
> |---------+--------------------------->
> |
>   >------------------------------------------------------------------------
>   >------------------------------------------------------------------------
>   >--|
>   >
>   |        Pour :   "radiator at open.com.au" <radiator at open.com.au>          
>   |                                                                        
>   |  | cc :                                                                
>   |                                                                      |
>   | Objet :  Re: (RADIATOR) Trying to get Windows Group membership working
>   | in AuthLSA                                                         |
>   |
>   >------------------------------------------------------------------------
>   >------------------------------------------------------------------------
>   >--|
>
> Hi,
>
> I did a number of tests and I  finally got it to work.  But not exactly how
> I would like it.  Here are two observations:
>
> 1. The Group feature need the DomainController to be present.
> 2. When the Group feature is in use, I can no longer specify the domain
> before the username (ie.: "domain\user") to authenticate.
>
> These observations may be wrong but this is how it behave on my systems.
> The first one is important for us because we are in a High availability
> environment and we must not specify a single static domain controller
> unless we can specify more than one (can we?).  The second one is also
> important because we are using more than one domain and we must allow
> inter-domain authentication.
>
> Thanks
>
> Michel Lapointe
> The Jean Coutu Group (PJC) inc.
>
> |---------+--------------------------->
> |
> |         |           Hugh Irvine     |
> |         |           <hugh at open.com.a|
> |         |           u>              |
> |         |
> |         |           2004-07-06 19:34|
> |
> |---------+--------------------------->
>
> ---------------------------------------------------------------------------
>-----------------------------------------------------------------------|
>
>   |        Pour :   "Michel Lapointe" <MLapointe at jeancoutu.com>
>   |
>   |        cc :     "radiator at open.com.au" <radiator at open.com.au>
>   |
>   |        Objet :  Re: (RADIATOR) Trying to get Windows Group membership
>
> working in AuthLSA
>
>
> ---------------------------------------------------------------------------
>-----------------------------------------------------------------------|
>
>
>
>
>
> Salut Michel -
>
> Here is the relevant code from "Radius/AuthLSA.pm":
>
> #####################################################################
> # Check if the user is in the global group
> sub userIsInGroup
> {
>      my ($self, $user, $group) = @_;
>
>      require Win32::NetAdmin;
>      import Win32::NetAdmin;
>
>      return Win32::NetAdmin::GroupIsMember($self->{DomainController},
> $group, $user);
> }
>
>
> You can only specify a global group for checking.
>
> regards
>
> Hugh
>
> On 7 Jul 2004, at 00:10, Michel Lapointe wrote:
> > Hi,
> >
> > I'm evaluating Radiator 3.9 with all patches on Windows 2000 Server sp4
> > (member server).  I'm trying to use the new Windows Group Membership
> > feature but it does not seam to work.
> >
> > If I don't specify any Group, I can successfully authenticate both
> > Local
> > users (test) and Domain users (domain\test).  So the LSA
> > authentication is
> > working fine.  If I specify a Group, then I receive "Access rejected
> > for
> > test:  AuthBy LSA User is not a member of any Group".  I tried to use
> > local
> > group (locally on the server) or Global (Domain) Group without success.
> >
> > Here is my config:
> >
> > Foreground
> > LogStdout
> > LogDir            c:/Program Files/Radiator
> > DbDir       c:/Program Files/Radiator
> >
> > Trace             5
> >
> > <Client DEFAULT>
> >       Secret      mysecret
> >       DupInterval 0
> > </Client>
> >
> > <Realm DEFAULT>
> >       <AuthBy LSA>
> >             Group TestGroup
> >             Group Users
> >       </AuthBy>
> > </Realm>
> >
> > And the debug:
> >
> > Tue Jul  6 08:56:17 2004: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 1466 ....
> >
> > Packet length = 90
> > 01 3d 00 5a 31 32 33 34 35 36 37 38 39 30 31 32
> > 33 34 35 36 01 06 74 65 73 74 06 06 00 00 00 02
> > 04 06 cb 3f 9a 01 05 06 00 00 04 d2 1e 0b 31 32
> > 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33
> > 32 31 3d 06 00 00 00 00 02 12 c8 b9 6c 99 9a 6a
> > 33 ce bc 38 09 a0 d8 7d 78 99
> > Code:       Access-Request
> > Identifier: 61
> > Authentic:  1234567890123456
> > Attributes:
> >         User-Name = "test"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         NAS-Port-Type = Async
> >         User-Password
> > = "<200><185>l<153><154>j3<206><188>8<9><160><216>}x<153>"
> >
> >
> > Tue Jul  6 08:56:17 2004: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Tue Jul  6 08:56:17 2004: DEBUG:  Deleting session for test,
> > 203.63.154.1,
> > 1234
> > Tue Jul  6 08:56:17 2004: DEBUG: Handling with Radius::AuthLSA:
> > Tue Jul  6 08:56:17 2004: DEBUG: Radius::AuthLSA looks for match with
> > test
> > Tue Jul  6 08:56:17 2004: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
> > User is
> > not a member of any Group
> > Tue Jul  6 08:56:17 2004: INFO: Access rejected for test: AuthBy LSA
> > User
> > is not a member of any Group
> > Tue Jul  6 08:56:17 2004: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 1466 ....
> >
> > Packet length = 36
> > 03 3d 00 24 dd 31 ca 56 f2 e2 1b 8e 89 66 3a 06
> > 1b 34 45 47 12 10 52 65 71 75 65 73 74 20 44 65
> > 6e 69 65 64
> > Code:       Access-Reject
> > Identifier: 61
> > Authentic:  1234567890123456
> > Attributes:
> >         Reply-Message = "Request Denied"
> >
> >
> > Thanks
> >
> > Michel Lapointe
> > The Jean Coutu Group (PJC) inc.
> >
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list