When using ntlm_auth
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='AD\\GROUP'"
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='AD+GROUP'" (Depends on winbind separator param)
User authentication fails.
If --require-membership-of is provided by SID:
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='SID'"
then authentication pass.
If test ntlm_auth from command line
ntlm_auth --require-membership-of='SID' --username=USER --password=PASS
ntlm_auth --require-membership-of='AD\\GROUP' --username=USER --password=PASS
both variants pass authentication.
Is there some problem with GROUP NAME to SID translation?
In principle this should work. What program are you calling ntlm_auth from when it's failing?
(In reply to comment #1)
> In principle this should work. What program are you calling ntlm_auth from when
> it's failing?
ppp-2.4.3-14.3.v5 in ClearOS 5.1 (/etc/redhat-release contains string CentOS release 5.4 (Final))
Calling done in /etc/ppp/options files for pptpd and xl2tpd daemons in authentication phase of conection establishing
I can confirm that bug stumbled around setting up an radius + ntlm_auth.
The require-membership-of parameter seems to have no effect. It's not failing, even if the user is not member of the group, ntlm_auth reports a success
The problem also exists in samba 4.1.8.
Same problem in Samba 4.1.14 .
This post on the mailing list suggests that this is a 'known' issue that only occurs when Samba is running in AD-DC mode:
So a workaround could be to use a non-DC samba "member server".
In my specific situation, this would mean i would have to set up a separate member server just for this purpose :(
I believe this is fixed in Samba 4.3 with c31c30043bdb0b3736f81c4b391ec96f236bc227 as we removed the AD DC specific winbindd implementation and replaced it with the long-standing implemenation used in the member server.