Hi Adam, I've been experimenting with something very similar recently..... ntlm_auth can handle authentication in one of the follow:
1. --username = "NetBIOS Domain Name"\"Username", no --domain parameter specified 2. --username = "Username", --domain = "NetBOIS Domain Name" 3. --username = "Username", --domain = "FQDN of domain". In your case, the problem is it doesn't know which actual domain the user is in, based on the UPN. So, my thoughts are you've got two options: 1. Make the users login using a principal of usern...@fqdn, so [email protected] and use some logic to "split" the username into the two sections using the @ as a delimiter. Maybe attr_rewrite module would be good for this. 2. Configure some form of way to lookup the users "real" domain from AD (probably via LDAP, or maybe there's a samba related tool for this?) and then pass that to ntlm_auth, either in the newer FQDN style, or the legacy NetBIOS style. Unfortunately, I'm not too hot on the various logic options available in FR, as I'm only really just starting playing in Unlang. Hopefully someone else will be able to help with providing a working logic config, once you've decided with method best suits your requirements. Cheers, Rupert
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
