AW: ntlm_auth authentication against multiple ADS domains

Habegger Lukas, ERZ-AZD-AIL lukas.habegger at erz.be.ch
Fri Feb 9 13:28:38 CET 2007


Hi

I don't know exactly what you have to do.

I have implemented something like this.

-------         -------
| RAD |---------| AD1 |
-------         -------
    |           -------
    ------------| AD2 |
                -------

It's done with a perl module over rlm_perl.

The perl module looks for witch domain the request is and starts the
right winbind-daemon.
It's not really nice. The problem is that a samba server only could be
member of one domain.

The samba team said that samba4 would support more then one domain or
you could change the samba3-code
to support multiple sockets on winbind (i think it was discussed on the
samba-mailinglist).

If you can build trusts between the domains it's much more easier. This
way you can auth on a single point.
It should look like this

-------         -------
| RAD |---------| AD1 |
-------         -------
			 |
    	          -------
                | AD2 |
                -------

A other way is to proxy the requests to a radius on the samba server. It
looks like this

-------         -------------
| RAD |---------| RAD - AD1 |
-------         -------------
    |           -------------
    ------------| RAD - AD2 |
                -------------

If you need more infos about my implementation write again.

Lukas





More information about the Freeradius-Users mailing list