[Samba] Using Linux domain member machine account for WPA-Enterprise authentication
Kees van Vloten
keesvanvloten at gmail.com
Fri Oct 20 15:40:57 UTC 2023
Hi Michael and Samba-team,
I found below message on the list, but it looks like nobody replied to it.
I have the configuration setup on the Samba-side and indeed it works on
Windows with machine-account authentication. It connects to wifi before
a user logs in and there is no chance of lockout due to an expired user
password in the wifi configuration.
I would love to have the same working on my Linux domain-member clients.
@Micheal, did you manage to get it working?
Or sombody else on the list perhaps :-) ?
- Kees.
Op 13-02-2022 om 23:37 schreef Michael Jones via samba:
> I've noticed that when a Windows computer that is in my domain connects to
> my WPA-Enterprise wifi it first attempts to authenticate with the SSID
> using the domain member's machine account, instead of prompting the user to
> enter their own credentials.
>
> Has anyone ever tried to do this with a Linux domain member?
>
> For example, my linux domain member laptop uses Network Manager as the GUI,
> with Intel Wireless Daemon as the wifi card driver. Currently the two
> programs aren't seamlessly integrated, so I need to write my own config
> file for IWD that has username / password settings. Such as
>
>
> ~ # cat /var/lib/iwd/MySSID.8021x
> [Security]
> EAP-Method=PEAP
> EAP-Identity=NETWORK-1\\anonymous
> EAP-PEAP-Phase2-Method=MSCHAPV2
> EAP-PEAP-Phase2-Identity=NETWORK-1\\jonesmz
> EAP-PEAP-Phase2-Password=PASSWORD-GOES-HERE
>
> [Settings]
> AutoConnect=true
>
> However, what I'd really like to do is have a linux domain member first
> attempt to use the machine account to authenticate with the freeradius /
> domain controller servers prior to prompting for user credentials, and if
> user credentials are needed, first attempt to use the domain credentials
> for the currently logged in user before prompting. Similar to how it works
> in Windows 10.
>
> Is there any prior art for this in the linux world?
>
> Would a solution look like a script that Samba calls when the machine
> account is updated periodically, that writes out an iwd file?
>
> Or would it be better to have iwd call a program to fetch each credential
> to try in turn, however it does so?
>
> I'm no stranger to writing code, so that doesn't bother me. But I don't
> know what the right approach is, or if there's anything out there that gets
> me part of the way.
More information about the samba
mailing list