(RADIATOR) Support for Microsoft groups with AuthBy LSA

Hugh Irvine hugh at open.com.au
Wed Aug 2 18:28:41 CDT 2006


Hello John -

We have just added some addtional group checking in AuthBy LSA -  
perhaps you could test it for us?

The patches are available in the Radiator 3.15 patch set.

thanks and regards

Hugh


On 2 Aug 2006, at 23:25, romanjoh at msnotes.wustl.edu wrote:

> Here is a link that explains the three types of group:
>
> http://technet2.microsoft.com/WindowsServer/en/library/79d93e46- 
> ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
>
> The highlights: "There are three group scopes: universal, global,  
> and domain local.
>
> Members of universal groups can include other groups and accounts  
> from any domain in the domain tree or forest and can be assigned  
> permissions in any domain in the domain tree or forest.
>
> Members of global groups can include other groups and accounts only  
> from the domain in which the group is defined and can be assigned  
> permissions in any domain in the forest.
>
> Members of domain local groups can include other groups and  
> accounts from Windows Server 2003, Windows 2000, or Windows NT  
> domains and can be assigned permissions only within a domain."
>
>
> Here is another link:
> http://www.samspublishing.com/articles/article.asp? 
> p=98126&seqNum=2&rl=1
>
> Our need is to permit wireless access to members of a group. The  
> group is in one domain (the forest root domain) and the users are  
> in subdomains in that forest. This requires the use of universal  
> groups rather than global groups. I have just exhausted my  
> understanding of things Microsoft since I come from the networking  
> side, but if you have more questions let me know. I do wonder what  
> is the difference between global and universal groups that they are  
> treated differently in the system call below.
>
> Many thanks,
>
> john
>
> <graycol.gif>
> Hugh Irvine <hugh at open.com.au>
>
>
> Hugh Irvine <hugh at open.com.au>
> 08/02/2006 03:41 AM
>
> <ecblank.gif>
>
> To
> <ecblank.gif>
>
> romanjoh at msnotes.wustl.edu
> <ecblank.gif>
>
> cc
> <ecblank.gif>
>
> radiator at open.com.au
> <ecblank.gif>
>
> Subject
> <ecblank.gif>
>
> Re: (RADIATOR) Support for Microsoft groups with AuthBy LSA
> <ecblank.gif>
> <ecblank.gif>
>
>
> Hello John -
>
> At the moment Radiator only supports Global groups - but can you
> point us to some description of Universal groups?
>
> regards
>
> Hugh
>
>
> On 2 Aug 2006, at 02:42, romanjoh at msnotes.wustl.edu wrote:
>
> > We are evaluating Radiator to replace another Radius server, and
> > our need is to be able to authenticate users by Microsoft groups.
> > Specifically, we need support for universal groups.Three types of
> > Microsoft groups: Domain Local Groups, Global Groups, and Universal
> > Groups.
> >
> > The documentation indicates in 5.51.7 that "Only Global groups are
> > supported" for Groups in AuthBy LSA. The Perl code is:
> > Win32::NetAdmin::GroupIsMember($controller, $group, $username) in
> > AuthLSA.pm. I have not been able to tell from the ActiveState/
> > Win32::NetAdmin documentation which types of groups are supported.
> >
> > Does this mean (as it appears) that Universal Groups are not
> > supported? Does anyone have any experience or knowledge?
> >
> >
> > John Roman
> >
> > jroman at wustl.edu
> > Manager, Network Services
> > Washington University
> > Box 8132
> > 660 S Euclid Avenue
> > Saint Louis, MO 63110
> > 314-362-7334
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list