[Samba] ADUC missing msNPAllowDialin and need vpn advice for ad setup.

L.P.H. van Belle belle at bazuin.nl
Thu Dec 14 11:23:43 UTC 2017


Hai Rowland, 


Even that msNPAllowDialin is a standard attribute, its not in my AD anymore, at least not within the users fields.
I think in time this disapert wil fixing things.. 
This setup is running and upgraded as of samba 4.1. but thank for that info, reading that after my lunch. 

If i have more questions, i'll mail again. 
Thanks! 

Greetz, 

Louis



 

> -----Oorspronkelijk bericht-----
> Van: Rowland Penny [mailto:rpenny at samba.org] 
> Verzonden: donderdag 14 december 2017 11:54
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] ADUC missing msNPAllowDialin and need 
> vpn advice for ad setup.
> 
> On Thu, 14 Dec 2017 11:09:52 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> > Hai, 
> >  
> > Im reading : 
> > https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD 
> >  
> > I wanted to use the "msNPAllowDialin" , in ADUC tab "Dail-in"  but i
> > notices this one was gone/ i was missing this one :
> > https://wiki.samba.org/images/8/88/MsNPAllowDialin.jpg Admin pc,
> > windows 7 64bit, samba 4.7.3.  AD Reinstalled it with the needed
> > dll's from a win2008R2. 
> > Now my Dail in tab is shown in ADUC but when i try to open i get an
> > error. I had a look in the AD with my AD browser and i see 
> im missing
> > for example : msNPAllowDialin in the AD and possible more. 
> > 
> >  
> > So my question, how can i add all needed properties back in the Ad
> > like the  msNPAllowDialin . Does samba have anything what 
> can sort of
> > restore these, samba-tool dbcheck and --cross-nc show 0 errors. Or
> > should i import the radius schema and use that? 
> > The results where im going at is a strongswan server with user auth
> > from ad/ldap with or without radius. vpn is already up and tested
> > with eap-mschapv2, with plain text username/passwords and im reading
> > now into the ldap part. so if anyone has some tips, that would be
> > great. 
> >  
> > Greetz, 
> >  
> > Louis
> >  
> >  
> 
> Hi Louis, 
> 
> The 'msNPAllowDialin' is a standard AD attribute:
> 
> cn: msNPAllowDialin
> ldapDisplayName: msNPAllowDialin
> attributeId: 1.2.840.113556.1.4.1119
> attributeSyntax: 2.5.5.8
> omSyntax: 1
> isSingleValued: TRUE
> schemaIdGuid: db0c9085-c1f2-11d1-bbc5-0080c76670c0
> systemOnly: FALSE
> searchFlags: fCOPY
> attributeSecurityGuid: 037088f8-0ae1-11d2-b422-00a0c968f939
> systemFlags: FLAG_SCHEMA_BASE_OBJECT
> 
> If you look here:
> 
> https://msdn.microsoft.com/en-us/library/ms678093(v=vs.85).aspx
> 
> it says:
> 
> Do not modify this value directly.
> 
> But I also found this:
> 
> http://www.wisesoft.co.uk/scripts/vbscript_write_msnpallowdial
> in_attribute.aspx
> 
> From which, it seems that if you don't have the attribute, 
> you 'Control
> access through remote access policy'
> If you have the attribute, it can only be set to 'TRUE' or 'FALSE'
> 
> Rowland
> 
> 




More information about the samba mailing list