[Samba] Using Linux domain member machine account for WPA-Enterprise authentication

Michael Jones samba at jonesmz.com
Sun Feb 13 22:37:49 UTC 2022

I've noticed that when a Windows computer that is in my domain connects to
my WPA-Enterprise wifi it first attempts to authenticate with the SSID
using the domain member's machine account, instead of prompting the user to
enter their own credentials.

Has anyone ever tried to do this with a Linux domain member?

For example, my linux domain member laptop uses Network Manager as the GUI,
with Intel Wireless Daemon as the wifi card driver. Currently the two
programs aren't seamlessly integrated, so I need to write my own config
file for IWD that has username / password settings. Such as

    ~ # cat /var/lib/iwd/MySSID.8021x


However, what I'd really like to do is have a linux domain member first
attempt to use the machine account to authenticate with the freeradius /
domain controller servers prior to prompting for user credentials, and if
user credentials are needed, first attempt to use the domain credentials
for the currently logged in user before prompting. Similar to how it works
in Windows 10.

Is there any prior art for this in the linux world?

Would a solution look like a script that Samba calls when the machine
account is updated periodically, that writes out an iwd file?

Or would it be better to have iwd call a program to fetch each credential
to try in turn, however it does so?

I'm no stranger to writing code, so that doesn't bother me. But I don't
know what the right approach is, or if there's anything out there that gets
me part of the way.

More information about the samba mailing list