Re: npppd: reload enables stripping NT domains on radius

Mon, 20 Feb 2017 21:12:06 -0800 

Hi,

On Mon, 20 Feb 2017 11:38:19 +0100
Patrick Wildt <patr...@blueri.se> wrote:
> when using RADIUS, the NT domains should not be stripped from the
> username.

I suppose it depends on the use-case.

npppd.conf(5) mentions "strip-nt-domain" is "yes" by default and
adding "strip-nt-domain no" in "authentication <NAME> type radius"
section of npppd.conf should be able to change that behavior.

  authentication RADIUS type radius {
          strip-nt-domain no
          authentication-server {
                  :

Doesn't this help?

> When a base object is instantiated based on an auth object,
> the "strip_nt_domain" variable is always enforced to zero in case of
> using RADIUS.  The auth object itself though has it set to one by
> default.
> 
> Now on configuration reload in npppd_auth_reload(), the value is copied
> from the corresponding auth object to the base object.
> 
>       base->strip_nt_domain = auth->strip_nt_domain;
> 
> Unfortunately in the case of RADIUS, this means that the RADIUS base
> object gets overridden.  So in that case reset it to zero like it's
> done in npppd_auth_create().

Thank you for pointing this out.

Code in npppd_auth.c seems to be misleading.  I'd like to make it
clear that the default values always come from the configuration like
below.

diff --git a/usr.sbin/npppd/npppd/npppd_auth.c 
b/usr.sbin/npppd/npppd/npppd_auth.c
index 101f8cc..11943c2 100644
--- a/usr.sbin/npppd/npppd/npppd_auth.c
+++ b/usr.sbin/npppd/npppd/npppd_auth.c
@@ -75,8 +75,6 @@ npppd_auth_create(int auth_type, const char *name, void 
*_npppd)
        case NPPPD_AUTH_TYPE_LOCAL:
                if ((base = calloc(1, sizeof(npppd_auth_local))) != NULL) {
                        base->type = NPPPD_AUTH_TYPE_LOCAL;
-                       base->strip_nt_domain = 1;
-                       base->strip_atmark_realm = 0;
                        strlcpy(base->name, name, sizeof(base->name));
                        base->npppd = _npppd;
 
@@ -89,7 +87,6 @@ npppd_auth_create(int auth_type, const char *name, void 
*_npppd)
                if ((base = calloc(1, sizeof(npppd_auth_radius))) != NULL) {
                        npppd_auth_radius *_this = (npppd_auth_radius *)base;
                        base->type = NPPPD_AUTH_TYPE_RADIUS;
-                       base->strip_nt_domain = 0;
                        strlcpy(base->name, name, sizeof(base->name));
                        base->npppd = _npppd;
                        if ((_this->rad_auth_setting =

Reply via email to