Thanks for the report! On Wed, Oct 26, 2016 at 10:24 AM, Markus Wigge <mar...@cultcom.de> wrote:
> Hi, > > first of all: thanks for your great work. > > Now the feedback: > I built the freeradius 3.0.12 packages for jessie on my own based on > your experimental sources. > Over all that worked fine but I needed the debhelper bpo-version. > > The configuration looks unfamiliar but that is I suppose normal for a > major release change and it is well documented upstream. > Yes, the /usr/share/doc/freeradius/NEWS.Debian.gz file contains the appropriate pointers. > > What I am still urgently missing is a working reference documentation on > how to use ntlm_auth with freeradius. > > The samba folks changed the winbindd_privileged socket to 750 so > changing the group on the folder does not change a lot as the group is > not allowed to write to the socket. > > My current solution is an additional sudoers entry like this: > ~# cat /etc/sudoers.d/freerad > > # allow freeradius to access private winbind socket > freerad ALL=(root) NOPASSWD: /usr/bin/ntlm_auth > > And then I prepend "sudo" within the mschap module to the ntlm call. > > Tell me if you prefer other solutions like SUID/SGID bits or something. > Changing the socket permissions dose not work as they are restored on a > winbindd restart. > > But freeradius is not the only software depending on ntlm_auth, so this > should be documented somewhere popular. > Sorry, I have no clue about NTLM. Someone else will need to assist with that. > > The LDAP-Group problems I encountered using 2.x releases are gone so > far, so that I need to stick with 3.x for productional use. > > So from my point: Thumbs up for 3.x packages please try to get them into > the official jessie-backports, I'd be glad. > > Regards, > Markus > -- Best regards, Michael
