[email protected] wrote: > Can freeradius be configured to authenticate users against an AD Forest > (multi-domain) using universal principal name (UPN) and if so...how?
Maybe FreeRADIUS needs to change to use Samba better, but anything related to AD forest, etc. is really a Samba issue. > We don't really care if we use Samba - integration via LDAP would be fine, > but it appears that their is an issue with sending the password in the clear > if LDAP is used. If this is inaccurate please let me know. It's correct. Active Directory does NOT return the password via LDAP queries. > Everything "appears" configured correctly. In fact authentication using the > "exec ntlm_auth" configuration referenced in > http://deployingradius.com/documents/configuration/active_directory.html > works if the username and domain are specified. Once we tried to use the UPN > (without domain name) it does not. Going back to the command line for > ntlm_auth tests resulted in the following. That's... frustrating. I'd suggest asking ntlm_auth questions on the Samba list. There's little we can do to help with that. > Using a user account found in DEPT1.COMPANY.NET child domain > > ntlm_auth --username=user WORKS > ntlm_auth --username=user --domain=DEPT1 WORKS > ntlm_auth [email protected] DOES NOT WORK > > Using a user account found in DEPT2.COMPANY.NET child domain > > ntlm_auth --username=user DOES NOT WORK > ntlm_auth --username=user --domain=DEPT2 WORKS > ntlm_auth [email protected] DOES NOT WORK It's possible to configure FreeRADIUS to use the "correct" options to ntlm_auth so that it magically works. But that's a pain to manage. It would be nice if Samba and/or Active Directory just did the right thing. Barring fixes from Samba and (yeah, right) Microsoft, the simplest thing is to configure FreeRADIUS with the magical command-line options for ntlm_auth so that it works. You will need to write rules for each domain... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
