0

I have a couple of FreeRadius 3.0.9 servers which were just put into production on our Meraki network. We want to use user group membership in Active Directory to determine policy to be carried out by Meraki.

There are certain user groups that we care about:

Faculty

Students

Alumni

If they are a member of one of these groups, we want to pass that group name as the filter-id in FreeRadius. How can we do this using Winbind/Samba?

More specifically, how can we avoid using LDAP?

Community
  • 1
KG6ZVP
  • 131
  • 9
  • You don't. You can retrieve additional information using that interface, use LDAP instead. – Arran Cudbard-Bell Oct 28 '15 at 02:16
  • We're specifically trying to avoid LDAP – KG6ZVP Oct 28 '15 at 02:17
  • Here's the docs for ntlm_auth. https://www.samba.org/samba/docs/man/manpages/ntlm_auth.1.html I see no mention of a retrieve group memberships option. You can restrict logins to a particular group, but that's it. Here's the docs for libwebclient https://www.samba.org/~jerry/src/libwbclient/dox/wbclient_8h.html Again no way to retrieve the user's group SIDs. If you can find something in libwbclient i'd be happy to do the integration work, but I don't think it exists. – Arran Cudbard-Bell Oct 28 '15 at 02:29
  • https://github.com/samba-team/samba/blob/master/nsswitch/libwbclient/wbclient.h#L1223-L1424 Apparently that source is old. Newer versions do include the necessary functions to extract group info. I can have a look, but you'll need to be using samba 4.2.1 and building from the v3.1.x branch to take advantage. – Arran Cudbard-Bell Oct 28 '15 at 22:40

0 Answers0