[RADIATOR] add Attributes when retrying to a new Host in AuthROUNDROBIN (radiator Digest, Vol 63, Issue 14)

Garry Shtern Garry.Shtern at twosigma.com
Fri Oct 3 08:46:44 CDT 2014 

Heikki,

That's a nice addition but one can simply add radiator user to winbindd_priv group on the system to accomplish the same thing if they are running without this patch.  There is really no need to ever run as root.

Thanks.

-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
Sent: Friday, October 03, 2014 8:14 AM
To: radiator at open.com.au
Subject: Re: [RADIATOR] add Attributes when retrying to a new Host in AuthROUNDROBIN (radiator Digest, Vol 63, Issue 14)

On 2.10.2014 18.48, David Zych wrote:

> It's taken me longer than I had hoped to circle back around to this, 
> but I wanted to say thanks very much for the new patches! I am using 
> them now to cope much more gracefully if one of my back-end "worker"
> processes gets stalled by an external dependency (i.e. ntlm_auth).
>
> Here are the key pieces, for the benefit of anyone else trying to 
> accomplish something similar.

Thanks for the update David. The patch in Radiator 4.13 patch set has not changed, so what you are using will work with the next release too.

There's also one recent change that might be useful to you and the other AuthBy NTLM users. The Group configuration parameter now accepts multiple group names. If you configure, for example, this on Ubuntu 12.04:

User radiator
Group radiator,winbindd_priv

Radiator will set the supplementary groups to winbindd_priv. Any files, such as logs, will be created with radiator:radiator ownership since the primary group is radiator.

Now, when radius starts a new ntlm_auth process this ntlm_auth process can access the winbindd socket since it's a member of winbindd_priv group. This allow AuthBy NTLM to work without running radiusd as root. 
One might have tried to use sudo for something similar already, but now the Group option can also be used to specify the groups. If there are group names that can not be resolved, then radiusd will not try to switch groups

Thanks,
Heikki

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list