ntlm_auth authentication against multiple ADS domains

Dow, Corey corey.dow at hp.com
Fri Feb 9 02:37:17 CET 2007 

 
Hi All, 

This is more of an ntlm_auth how to than a FreeRADIUS question, but I
thought I would post here since others may have run across this. 

We're trying to use ntlm_auth and FreeRADIUS to authenticate users against
an ADS back-end.  I've found several excellent articles on how to set this
up, and I have it working with a single ADS domain. The problem I've
encountered is performing authentication against multiple ADS domains using
ntlm_auth. 

ADS Parent domain netidm.net
ADS Child domain xyz.abc.com

If I join to abc.com using net ads join, I can use ntlm_auth with no
problems, but how do I perform authentications against xyz.abc.com ? 

I've tried:

Ntlm_auth --request-nt-key --DOMAIN=XYZ --username=jdoe

But I get an NT_STATUS_IO_TIMEOUT. 

I'm assuming this is because I'm joined to the Parent domain and not the
child domain, but can't this work by only joining the one domain? 

# Samba Config
   workgroup = ABC
   server string = Samba Server
   security = ads
   load printers = yes
   log file = /usr/local/samba/var/log.%m
   max log size = 50
   realm = ABC.COM
   wins server = 180.44.200.53 
   dns proxy = no 
   comment = Home Directories
   browseable = no
   writable = yes
   comment = All Printers
   path = /usr/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

#Kerberos Config
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 default_realm = ABC.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
 ABC.COM = {
  	kdc = 180.44.200.53:88
 	kdc = 180.44.200.54:88
 }
 
 XYZ.ABC.COM = {
   	kdc = 180.44.200.69:88
 }
 .abc.com = ABC.COM
 abc.com = ABC.COM
 .xyz.abc.com = XYZ.ABC.COM
 xyz.abc.com = XYZ.ABC.COM
 profile = /var/kerberos/krb5kdc/kdc.conf
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Any help greatly appreciated. 

Corey


Corey Dow
Network Solution's Test Center
ProCurve Networking by HP







-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4805 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070208/3ae451fa/attachment.bin>

More information about the Freeradius-Users mailing list