David Disseldorp changed bug 912714
What Removed Added
CC   ddiss@suse.com, fabian@ritter-vogt.de
Flags   needinfo?(fabian@ritter-vogt.de)

Comment # 1 on bug 912714 from 
Thanks for the report Fabian.

The FreeRADIUS AD integration guide at
http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
outlines how to provide radiusd access to the winbindd_privileged directory:

===
When called by radiusd (thus directly setting the challenge value) the
ntlm_auth program needs permission to access winbindd's winbindd_privileged
directory (somewhere under /var). Read access will usually be sufficient.

The radiusd.conf file sets the uid and gid your radiusd process will run as (by
the user and group directives, respectively). The ntlm_auth process will have
the same identity. If your filesystem containing the winbindd_privileged
directory supports POSIX ACLs, you can safely grant ntlm_auth the necessary
permissions, in case your disribution's default setting were insufficient. If
radiusd runs as the user radiusd for example, then you should use setfacl the
following way

setfacl -m u:radiusd:rx winbindd_privileged
===

Does this allow you to use ntlm_auth under FreeRADIUS without setuid?

You are receiving this mail because: