WinModule

The winbind module authenticate PAP passwords against Microsoft Active Directory or Samba, via the winbind API.

This module is for PAP authentication (where plaintext passwords are sent in the User-Password attribute) only. For authenticating mschap requests against AD/Samba see the options available in the rlm_mschap module.

Samba version 4.2.1 or higher is required to use this module.

Configuration Settings

username: The username to pass to winbind for authentication.
domain: The windows domain.

While not required to be set, it is likely that authentication will fail if it is not set correctly.

This configuration option, as the username above, is also expanded before use.

If unset then winbind will be queried for the correct value. If you actually want it blank it should be explicitly set here.

group { … }: Group membership checking.

Groups can be checked via the expansion %winbind.group(<name>)

search_username: AD username to search for group searches.

This should generally not include a realm, so Stripped-User-Name is likely the best attribute if it exists.

add_domain: Include the domain in group searches.

When this is enabled, winbind_domain is prepended to the username (as domain\username) before searching. This is generally required.

Reusable Handles

Reusable connection handles are allocated in blocks. These parameters allow for tuning how that is done.

min: The minimum number of connection handles to keep allocated
max: The maximum number of reusable connection handles to allocate.
cleanup_interval: How often to free un-used connection handles.

Default Configuration

winbind {
	username = "%{&Stripped-User-Name || &User-Name}"
#	domain = ""
	group {
		search_username = "%{&Stripped-User-Name || &User-Name}"
#		add_domain = yes
	}
	reuse {
#		min = 10
#		max = 100
#		cleanup_interval = 30s
	}
}