[Samba] ADUC missing msNPAllowDialin and need vpn advice for ad setup.
L.P.H. van Belle
belle at bazuin.nl
Thu Dec 14 11:23:43 UTC 2017
Even that msNPAllowDialin is a standard attribute, its not in my AD anymore, at least not within the users fields.
I think in time this disapert wil fixing things..
This setup is running and upgraded as of samba 4.1. but thank for that info, reading that after my lunch.
If i have more questions, i'll mail again.
> -----Oorspronkelijk bericht-----
> Van: Rowland Penny [mailto:rpenny at samba.org]
> Verzonden: donderdag 14 december 2017 11:54
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] ADUC missing msNPAllowDialin and need
> vpn advice for ad setup.
> On Thu, 14 Dec 2017 11:09:52 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > Hai,
> > Im reading :
> > https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD
> > I wanted to use the "msNPAllowDialin" , in ADUC tab "Dail-in" but i
> > notices this one was gone/ i was missing this one :
> > https://wiki.samba.org/images/8/88/MsNPAllowDialin.jpg Admin pc,
> > windows 7 64bit, samba 4.7.3. AD Reinstalled it with the needed
> > dll's from a win2008R2.
> > Now my Dail in tab is shown in ADUC but when i try to open i get an
> > error. I had a look in the AD with my AD browser and i see
> im missing
> > for example : msNPAllowDialin in the AD and possible more.
> > So my question, how can i add all needed properties back in the Ad
> > like the msNPAllowDialin . Does samba have anything what
> can sort of
> > restore these, samba-tool dbcheck and --cross-nc show 0 errors. Or
> > should i import the radius schema and use that?
> > The results where im going at is a strongswan server with user auth
> > from ad/ldap with or without radius. vpn is already up and tested
> > with eap-mschapv2, with plain text username/passwords and im reading
> > now into the ldap part. so if anyone has some tips, that would be
> > great.
> > Greetz,
> > Louis
> Hi Louis,
> The 'msNPAllowDialin' is a standard AD attribute:
> cn: msNPAllowDialin
> ldapDisplayName: msNPAllowDialin
> attributeId: 1.2.840.1135184.108.40.2069
> attributeSyntax: 220.127.116.11
> omSyntax: 1
> isSingleValued: TRUE
> schemaIdGuid: db0c9085-c1f2-11d1-bbc5-0080c76670c0
> systemOnly: FALSE
> searchFlags: fCOPY
> attributeSecurityGuid: 037088f8-0ae1-11d2-b422-00a0c968f939
> systemFlags: FLAG_SCHEMA_BASE_OBJECT
> If you look here:
> it says:
> Do not modify this value directly.
> But I also found this:
> From which, it seems that if you don't have the attribute,
> you 'Control
> access through remote access policy'
> If you have the attribute, it can only be set to 'TRUE' or 'FALSE'
More information about the samba