[email protected] wrote:
> Can freeradius be configured to authenticate users against an AD Forest 
> (multi-domain) using universal principal name (UPN) and if so...how?

  Maybe FreeRADIUS needs to change to use Samba better, but anything
related to AD forest, etc. is really a Samba issue.

> We don't really care if we use Samba - integration via LDAP would be fine, 
> but it appears that their is an issue with sending the password in the clear 
> if LDAP is used. If this is inaccurate please let me know.

  It's correct.  Active Directory does NOT return the password via LDAP
queries.

> Everything "appears" configured correctly.  In fact authentication using the 
> "exec ntlm_auth" configuration referenced in 
> http://deployingradius.com/documents/configuration/active_directory.html 
> works if the username and domain are specified.  Once we tried to use the UPN 
> (without domain name) it does not.  Going back to the command line for 
> ntlm_auth tests resulted in the following.

  That's... frustrating.  I'd suggest asking ntlm_auth questions on the
Samba list.  There's little we can do to help with that.

> Using a user account found in DEPT1.COMPANY.NET child domain
> 
> ntlm_auth --username=user                  WORKS
> ntlm_auth --username=user --domain=DEPT1   WORKS
> ntlm_auth [email protected]      DOES NOT WORK
> 
> Using a user account found in DEPT2.COMPANY.NET child domain
> 
> ntlm_auth --username=user                  DOES NOT WORK
> ntlm_auth --username=user --domain=DEPT2   WORKS
> ntlm_auth [email protected]      DOES NOT WORK

  It's possible to configure FreeRADIUS to use the "correct" options to
ntlm_auth so that it magically works.  But that's a pain to manage.  It
would be nice if Samba and/or Active Directory just did the right thing.

  Barring fixes from Samba and (yeah, right) Microsoft, the simplest
thing is to configure FreeRADIUS with the magical command-line options
for ntlm_auth so that it works.  You will need to write rules for each
domain...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to