[Pkg-freeradius-maintainers] Bug#797181: freeradius: packaging 3.0.x

[Markus Wigge]

Hi,

first of all: thanks for your great work.

Now the feedback:
I built the freeradius 3.0.12 packages for jessie on my own based on
your experimental sources.
Over all that worked fine but I needed the debhelper bpo-version.

The configuration looks unfamiliar but that is I suppose normal for a
major release change and it is well documented upstream.

What I am still urgently missing is a working reference documentation on
how to use ntlm_auth with freeradius.

The samba folks changed the winbindd_privileged socket to 750 so
changing the group on the folder does not change a lot as the group is
not allowed to write to the socket.

My current solution is an additional sudoers entry like this:
~# cat /etc/sudoers.d/freerad

# allow freeradius to access private winbind socket
freerad	ALL=(root) NOPASSWD: /usr/bin/ntlm_auth

And then I prepend "sudo" within the mschap module to the ntlm call.

Tell me if you prefer other solutions like SUID/SGID bits or something.
Changing the socket permissions dose not work as they are restored on a
winbindd restart.

But freeradius is not the only software depending on ntlm_auth, so this
should be documented somewhere popular.

The LDAP-Group problems I encountered using 2.x releases are gone so
far, so that I need to stick with 3.x for productional use.

So from my point: Thumbs up for 3.x packages please try to get them into
the official jessie-backports, I'd be glad.

Regards,
Markus