Web lists-archives.com

Re: [Samba] ADUC missing msNPAllowDialin and need vpn advice for ad setup.




On Thu, 14 Dec 2017 11:09:52 +0100
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> Hai, 
>  
> Im reading : 
> https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD ;
>  
> I wanted to use the "msNPAllowDialin" , in ADUC tab "Dail-in"  but i
> notices this one was gone/ i was missing this one :
> https://wiki.samba.org/images/8/88/MsNPAllowDialin.jpg Admin pc,
> windows 7 64bit, samba 4.7.3.  AD Reinstalled it with the needed
> dll's from a win2008R2. 
> Now my Dail in tab is shown in ADUC but when i try to open i get an
> error. I had a look in the AD with my AD browser and i see im missing
> for example : msNPAllowDialin in the AD and possible more. 
> 
>  
> So my question, how can i add all needed properties back in the Ad
> like the  msNPAllowDialin . Does samba have anything what can sort of
> restore these, samba-tool dbcheck and --cross-nc show 0 errors. Or
> should i import the radius schema and use that? 
> The results where im going at is a strongswan server with user auth
> from ad/ldap with or without radius. vpn is already up and tested
> with eap-mschapv2, with plain text username/passwords and im reading
> now into the ldap part. so if anyone has some tips, that would be
> great. 
>  
> Greetz, 
>  
> Louis
>  
>  

Hi Louis, 

The 'msNPAllowDialin' is a standard AD attribute:

cn: msNPAllowDialin
ldapDisplayName: msNPAllowDialin
attributeId: 1.2.840.113556.1.4.1119
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
schemaIdGuid: db0c9085-c1f2-11d1-bbc5-0080c76670c0
systemOnly: FALSE
searchFlags: fCOPY
attributeSecurityGuid: 037088f8-0ae1-11d2-b422-00a0c968f939
systemFlags: FLAG_SCHEMA_BASE_OBJECT

If you look here:

https://msdn.microsoft.com/en-us/library/ms678093(v=vs.85).aspx

it says:

Do not modify this value directly.

But I also found this:

http://www.wisesoft.co.uk/scripts/vbscript_write_msnpallowdialin_attribute.aspx

>From which, it seems that if you don't have the attribute, you 'Control
access through remote access policy'
If you have the attribute, it can only be set to 'TRUE' or 'FALSE'

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba