On 02/03/11 17:11, McNutt, Justin M. wrote:
%{mschap:NT-Domain} is not a real variable; it's a dynamic
expansion. There's no attribute you can "set", so you'll need to
use another attribute (see my other email)
Gotcha. I'm looking into that now (based on your other e-mail).
That's very likely do-able.
I think it should be a flag - set to the current "NT-style
guessing as the default - to maintain backward compatibility an
ease of removal in case it turns out to be a Very Bad Idea
Indeed.
What do you think?
I agree. However, as I say - I am pretty sure that long-form won't
work either if you have a disjoint DNS/AD namespace. In that case,
sites are going to have to use locally-defined rules.
I'm not following what you mean about "disjoint namespace". You mean
the difference between "UMC-USERS" and "col.missouri.edu"? I think
of "UMC-USERS" as "NT namespace" whereas I see AD and DNS as the same
thing, in this case.
Disjoint namespace is the term used if you have DNS names for windows
active directory members which are anything other than:
samaccountname.<AD domain>
So, if you give your hosts DNS hostnames of:
samaccountname.dept.<AD domain>
...this is a disjoint namespace. This is a supported configuration in
principle - AD itself and most of the Microsoft tools work just fine -
but in practice you'll find an awful lot of 3rd party stuff out there
assumes that the AD domain starts at the first "." in the hostname, and
will break if it doesn't.
This makes me sad, since the underlying protocols at AD is built on
(DNS, Kerberos, LDAP) have plenty of mechanisms for doing the mapping
properly. They're just not used.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
