[Samba] ADUC missing msNPAllowDialin and need vpn advice for ad setup.
L.P.H. van Belle
belle at bazuin.nl
Thu Dec 14 11:23:43 UTC 2017
Hai Rowland,
Even that msNPAllowDialin is a standard attribute, its not in my AD anymore, at least not within the users fields.
I think in time this disapert wil fixing things..
This setup is running and upgraded as of samba 4.1. but thank for that info, reading that after my lunch.
If i have more questions, i'll mail again.
Thanks!
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Rowland Penny [mailto:rpenny at samba.org]
> Verzonden: donderdag 14 december 2017 11:54
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] ADUC missing msNPAllowDialin and need
> vpn advice for ad setup.
>
> On Thu, 14 Dec 2017 11:09:52 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> > Hai,
> >
> > Im reading :
> > https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD
> >
> > I wanted to use the "msNPAllowDialin" , in ADUC tab "Dail-in" but i
> > notices this one was gone/ i was missing this one :
> > https://wiki.samba.org/images/8/88/MsNPAllowDialin.jpg Admin pc,
> > windows 7 64bit, samba 4.7.3. AD Reinstalled it with the needed
> > dll's from a win2008R2.
> > Now my Dail in tab is shown in ADUC but when i try to open i get an
> > error. I had a look in the AD with my AD browser and i see
> im missing
> > for example : msNPAllowDialin in the AD and possible more.
> >
> >
> > So my question, how can i add all needed properties back in the Ad
> > like the msNPAllowDialin . Does samba have anything what
> can sort of
> > restore these, samba-tool dbcheck and --cross-nc show 0 errors. Or
> > should i import the radius schema and use that?
> > The results where im going at is a strongswan server with user auth
> > from ad/ldap with or without radius. vpn is already up and tested
> > with eap-mschapv2, with plain text username/passwords and im reading
> > now into the ldap part. so if anyone has some tips, that would be
> > great.
> >
> > Greetz,
> >
> > Louis
> >
> >
>
> Hi Louis,
>
> The 'msNPAllowDialin' is a standard AD attribute:
>
> cn: msNPAllowDialin
> ldapDisplayName: msNPAllowDialin
> attributeId: 1.2.840.113556.1.4.1119
> attributeSyntax: 2.5.5.8
> omSyntax: 1
> isSingleValued: TRUE
> schemaIdGuid: db0c9085-c1f2-11d1-bbc5-0080c76670c0
> systemOnly: FALSE
> searchFlags: fCOPY
> attributeSecurityGuid: 037088f8-0ae1-11d2-b422-00a0c968f939
> systemFlags: FLAG_SCHEMA_BASE_OBJECT
>
> If you look here:
>
> https://msdn.microsoft.com/en-us/library/ms678093(v=vs.85).aspx
>
> it says:
>
> Do not modify this value directly.
>
> But I also found this:
>
> http://www.wisesoft.co.uk/scripts/vbscript_write_msnpallowdial
> in_attribute.aspx
>
> From which, it seems that if you don't have the attribute,
> you 'Control
> access through remote access policy'
> If you have the attribute, it can only be set to 'TRUE' or 'FALSE'
>
> Rowland
>
>
More information about the samba
mailing list