New to freeradius & samba - and first post here. Rather long post so to cut to the heart of the question:
Can freeradius be configured to authenticate users against an AD Forest (multi-domain) using universal principal name (UPN) and if so...how? I'm posting here because our only need for samba is freeradius integration to AD - but if I need to go to the Samba community just let me know. The ultimate goal is to have the majority of remote access users authenticate using their universal principal names (UPN) from AD. The path of that authentication however is not direct. RA Appliance --> Freeradius (Proxy) --> Freeradius --> AD There are some instances where we need users to authenticate from a repository other than AD, so Freeradius has been configured against both MySQL (primarily to hold NAS information & accounting info, but could potentially host users) and Openldap. The MySql & Openldap configs are working just fine. We don't really care if we use Samba - integration via LDAP would be fine, but it appears that their is an issue with sending the password in the clear if LDAP is used. If this is inaccurate please let me know. Everything "appears" configured correctly. In fact authentication using the "exec ntlm_auth" configuration referenced in http://deployingradius.com/documents/configuration/active_directory.html works if the username and domain are specified. Once we tried to use the UPN (without domain name) it does not. Going back to the command line for ntlm_auth tests resulted in the following. Using a user account found in DEPT1.COMPANY.NET child domain ntlm_auth --username=user WORKS ntlm_auth --username=user --domain=DEPT1 WORKS ntlm_auth [email protected] DOES NOT WORK Using a user account found in DEPT2.COMPANY.NET child domain ntlm_auth --username=user DOES NOT WORK ntlm_auth --username=user --domain=DEPT2 WORKS ntlm_auth [email protected] DOES NOT WORK All of the DOES NOT WORK result in the same error. NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) tcpdumps of the ntlm_auth traffic validate that all requests are being sent to one of the domain controllers within DEPT1.COMPANY.NET The internal freeradius host is in the child domain DEPT1.COMPANY.NET based on policy. If moving the server to COMPANY.NET is required that could be considered, however preference is to leave it in DEPT1.COMPANY.NET. Linux Host RHEL 5.2 Freeradius 2.1.6 Samba 3.3.4 Active Directory Multi-Domain Model Native Mode Win2003 Root Domain - company.net Child Domain - dept1.company.net Child Domain - dept2.company.net .. Child Domain - dept9.company.net For the sake of testing we are currently only configured for the root, child domains dept1 and dept2. We do not have admin_server entries because all of the examples reference port 749 which is not running on any of the domain controllers or global catalogs. I am including sanitized copies of the krb5.conf and smb.conf because they seem pertinent to the question. If any of the freeradius config files, nsswitch or some other information is needed just let me know. Thanks Adam krb5.conf --------------------------------- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DEPT1.COMPANY.NET dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] COMPANY.NET = { kdc = gc01.company.net:88 kdc = gc02.company.net:88 kdc = gc03.company.net:88 } DEPT1.COMPANY.NET = { kdc = dept1-dc01.dept1.company.net:88 kdc = dept1-dc02.dept1.company.net:88 kdc = dept1-dc03.dept1.company.net:88 } DEPT2.COMPANY.NET = { kdc = dept2-dc01.dept2.company.net:88 kdc = dept2-dc02.dept2.company.net:88 kdc = dept3-gc01.dept2.company.net:88 } [domain_realm] .company.net = COMPANY.NET .dept1.company.net = DEPT1.COMPANY.NET .dept2.company.net = DEPT2.COMPANY.NET [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } smb.conf -------------------------------------- [global] workgroup = DEPT1 netbios name = AAA-Server realm = DEPT1.COMPANY.NET security = ADS template shell = /bin/bash idmap uid = 500-10000000 idmap gid = 500-10000000 winbind nested groups = Yes winbind enum users = yes winbind enum groups = yes server string = AAA [homes] comment = Home Directories browseable = no writable = yes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
