[Samba] Winbind problem when exec freeradius

Javier Jimenez javier.jimenezdiaz at gmail.com
Mon May 16 07:28:06 GMT 2005

Hil list!
  I'm trying to authenticate Active Directory Users via freeradius. I
can do it in a general case (user and domain) without
problem. Now I have to do it restricting the authentication to the
members of a group.

I can exect the script (as is put in radiusd.conf) correct from the
command line:

Deb:~# /usr/bin/ntlm_auth --username=javi2
--require-membership-of='AAMM\MyGroup'  --domain=AAMM
NT_STATUS_OK: Success (0x0)
Deb:~# /usr/bin/ntlm_auth --username=javi2
--require-membership-of='AAMM\OtherGroup'  --domain=AAMM
NT_STATUS_LOGON_FAILURE: Logon failure (0xc000006d)

So samba and winbind look to be correctly configured, but when radius
exect it, looks as if winbind couldn't resolve group's name.
My line on radiusd.conf is:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --require-membership-of='AAMM\\MyGroup'
--domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}

And get the next logs:

radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --username=javi2
--require-membership-of='AAMM\MyGroup'  --domain=AAMM
--nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21 '
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=javi2
--require-membership-of='AAMM\MyGroup'  --domain=AAMM
[2005/05/16 09:05:57, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
 Winbindd lookupname failed to resolve 'AAMM\MyGroup' into a SID!

Does anybody know why could it be happening? Thanks in advance for any help!!

More information about the samba mailing list