Checking Active Directory group membership with winbind

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Checking Active Directory group membership with winbind

AlexJordaan
Hi

I am busy setting up a freeradius system on CentOS7 , I can authenticate
any AD user but want to only Authenticate if user belongs to a certain AD
group

I found this Thread where it explained that winbind module in Freeradius
can do it

http://freeradius.1045715.n5.nabble.com/Checking-Active-Directory-group-membership-with-winbind-td5741346.html

----- snip --------
Usage is similar to rlm_ldap. Enable the winbind module in
mods-enabled, then you can:

  if (Winbind-Group == "my-user-group") {
    ...
  }

for an instance of rlm_winbind e.g.
------- snip---------

I have the repo provided freeradius and samba and winbind installed and
can't seem to find the winbind module it are referring to.....

[root@freeradpoc ~]# rpm -qa | grep freeradius
freeradius-doc-3.0.13-10.el7_6.x86_64
freeradius-utils-3.0.13-10.el7_6.x86_64
freeradius-3.0.13-10.el7_6.x86_64
freeradius-krb5-3.0.13-10.el7_6.x86_64
freeradius-ldap-3.0.13-10.el7_6.x86_64
[root@freeradpoc ~]# rpm -qa | grep samba
samba-common-4.8.3-4.el7.noarch
samba-winbind-modules-4.8.3-4.el7.x86_64
samba-client-libs-4.8.3-4.el7.x86_64
samba-client-4.8.3-4.el7.x86_64
samba-libs-4.8.3-4.el7.x86_64
samba-winbind-clients-4.8.3-4.el7.x86_64
samba-common-libs-4.8.3-4.el7.x86_64
samba-common-tools-4.8.3-4.el7.x86_64
samba-4.8.3-4.el7.x86_64
samba-winbind-4.8.3-4.el7.x86_64
[root@freeradpoc ~]#

Is this maybe due to the repo provided packages that I used...?



Regards
*Alex Jordaan*
Linux Engineer

--
Disclaimer:
https://www.shopriteholdings.co.za/copyright-etc--statements/email-disclaimer.html 
<http://www.shopriteholdings.co.za/copyright-etc--statements/email-disclaimer.html>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Checking Active Directory group membership with winbind

Mathieu Simon (Lists)
Hi Alex

Am 14.08.2019 um 08:32 schrieb Alex Jordaan:

> Hi
>
> I am busy setting up a freeradius system on CentOS7 , I can authenticate
> any AD user but want to only Authenticate if user belongs to a certain AD
> group
>
> I found this Thread where it explained that winbind module in Freeradius
> can do it
>
> http://freeradius.1045715.n5.nabble.com/Checking-Active-Directory-group-membership-with-winbind-td5741346.html
Looking at the first post from Matt Newton he refers to 3.1.x which now
is in development as the next major version 4.x.
>
[...]
> I have the repo provided freeradius and samba and winbind installed and
> can't seem to find the winbind module it are referring to.....
Skimming over the thread I'd understand that since you are using the 3.0
release on CentOS, you have to use rlm_ldap instead.

It shouldn't be very difficult to configure. One of the roadblock to
check out is to verify in your AD if it makes use of nested groups in
your AD in which case you'll have to modify groupmembership_filter to
have the special OID filter for AD like so:

membership_filter =
"(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"

Regards
Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Checking Active Directory group membership with winbind

Alan DeKok-2
In reply to this post by AlexJordaan
On Aug 14, 2019, at 2:32 AM, Alex Jordaan <[hidden email]> wrote:
> I am busy setting up a freeradius system on CentOS7 , I can authenticate
> any AD user but want to only Authenticate if user belongs to a certain AD
> group

  You should just use the LDAP module.

> I have the repo provided freeradius and samba and winbind installed and
> can't seem to find the winbind module it are referring to.....

  Just use the LDAP module.  There are detailed instructions on the Wiki.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html