[Samba] Using Linux domain member machine account for WPA-Enterprise authentication

Kees van Vloten keesvanvloten at gmail.com
Fri Oct 20 15:40:57 UTC 2023 

Hi Michael and Samba-team,

I found below message on the list, but it looks like nobody replied to it.

I have the configuration setup on the Samba-side and indeed it works on 
Windows with machine-account authentication. It connects to wifi before 
a user logs in and there is no chance of lockout due to an expired user 
password in the wifi configuration.

I would love to have the same working on my Linux domain-member clients.


@Micheal, did you manage to get it working?

Or sombody else on the list perhaps :-) ?


- Kees.



Op 13-02-2022 om 23:37 schreef Michael Jones via samba:
> I've noticed that when a Windows computer that is in my domain connects to
> my WPA-Enterprise wifi it first attempts to authenticate with the SSID
> using the domain member's machine account, instead of prompting the user to
> enter their own credentials.
>
> Has anyone ever tried to do this with a Linux domain member?
>
> For example, my linux domain member laptop uses Network Manager as the GUI,
> with Intel Wireless Daemon as the wifi card driver. Currently the two
> programs aren't seamlessly integrated, so I need to write my own config
> file for IWD that has username / password settings. Such as
>
>
>      ~ # cat /var/lib/iwd/MySSID.8021x
>      [Security]
>      EAP-Method=PEAP
>      EAP-Identity=NETWORK-1\\anonymous
>      EAP-PEAP-Phase2-Method=MSCHAPV2
>      EAP-PEAP-Phase2-Identity=NETWORK-1\\jonesmz
>      EAP-PEAP-Phase2-Password=PASSWORD-GOES-HERE
>
>      [Settings]
>      AutoConnect=true
>
> However, what I'd really like to do is have a linux domain member first
> attempt to use the machine account to authenticate with the freeradius /
> domain controller servers prior to prompting for user credentials, and if
> user credentials are needed, first attempt to use the domain credentials
> for the currently logged in user before prompting. Similar to how it works
> in Windows 10.
>
> Is there any prior art for this in the linux world?
>
> Would a solution look like a script that Samba calls when the machine
> account is updated periodically, that writes out an iwd file?
>
> Or would it be better to have iwd call a program to fetch each credential
> to try in turn, however it does so?
>
> I'm no stranger to writing code, so that doesn't bother me. But I don't
> know what the right approach is, or if there's anything out there that gets
> me part of the way.

More information about the samba mailing list