When using ntlm_auth ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='AD\\GROUP'" or ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='AD+GROUP'" (Depends on winbind separator param) User authentication fails. If --require-membership-of is provided by SID: ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='SID'" then authentication pass. If test ntlm_auth from command line ntlm_auth --require-membership-of='SID' --username=USER --password=PASS ntlm_auth --require-membership-of='AD\\GROUP' --username=USER --password=PASS both variants pass authentication. Is there some problem with GROUP NAME to SID translation?
In principle this should work. What program are you calling ntlm_auth from when it's failing?
(In reply to comment #1) > In principle this should work. What program are you calling ntlm_auth from when > it's failing? > ppp-2.4.3-14.3.v5 in ClearOS 5.1 (/etc/redhat-release contains string CentOS release 5.4 (Final)) Calling done in /etc/ppp/options files for pptpd and xl2tpd daemons in authentication phase of conection establishing
I can confirm that bug stumbled around setting up an radius + ntlm_auth. The require-membership-of parameter seems to have no effect. It's not failing, even if the user is not member of the group, ntlm_auth reports a success
The problem also exists in samba 4.1.8.
Same problem in Samba 4.1.14 .
This post on the mailing list suggests that this is a 'known' issue that only occurs when Samba is running in AD-DC mode: https://lists.samba.org/archive/samba/2014-June/182632.html So a workaround could be to use a non-DC samba "member server". In my specific situation, this would mean i would have to set up a separate member server just for this purpose :(
I believe this is fixed in Samba 4.3 with c31c30043bdb0b3736f81c4b391ec96f236bc227 as we removed the AD DC specific winbindd implementation and replaced it with the long-standing implemenation used in the member server.