Freeradius-Users Digest, Vol 134, Issue 11

Shawn Wilson swilson at acs.on.ca
Mon Jun 6 23:01:15 CEST 2016 

Hi Alan, thanks for replying.  I will try to provide some clarification:

>> Then I can pass the domain to the ntlm_auth command by using the "-domain=%{realm}" parameter.  Everything works fine as long  User->Name is in the format <username>@<my.domain.name>.
>> 
>> HOWEVER, the big problem I'm encountering is that we need users to authenticate via alternate UPN suffixes.  It turns out Ntlm_auth will not authenticate against these suffixes, only the actual domain names.
>>
> What does that mean?  "actual domain name" ?

The "actual domain name" is the active directory domain name that was used when the AD domain was originally created.  Microsoft allows you to create "alternate UPN suffixes" which are like aliases for the domain (e.g. like this http://www.tutorialspoint.com/articles/adding-alternate-upn-suffix-to-active-directory-domain).

The ntlm_auth command will not authenticate against alternate active directory UPN You must use the original active directory domain name.  

I realize this is not a freeradius problem but a Samba problem.  Still, I was wondering if there was an elegant way to configure freeradius to work around this limitation.


For the time being, I did a brutal hack to get it to work: 

>From /etc/freeradius/modules/mschap:
---- SNIP ----
   # Choose the right AD domain to authenticate against.
   ntlm_auth = "/usr/local/bin/ntlm_auth_UPN %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{realm} %{%{mschap:Challenge}:-00} %%{mschap:NT-Response}:-00}"
---- SNIP ----

Contents of /usr/local/bin/ntlm_auth_UPN:
--------
#!/bin/sh

# This script is a workaround to deal w/ the fact that the ntlm_auth
# command does not authenticate properly using alternate UPN suffixes
# in active directory domains.  It is hardcoded to fix the domain.
#

USERNAME=$1
DOMAIN=$2
CHALLENGE=$3
NT_RESPONSE=$4

# Rewrite the suffix for office employees.
if [ "${DOMAIN}" = "boguscorp.org" ] ; then
    # Set the AD domain we need to login to.  
    DOMAIN="office.users.big-ugly-domain.local"
Fi

# Rewrite the suffix for students.
if [ "${DOMAIN}" = "bcstudents.org" ] ; then
    # Set the AD domain we need to login to.  
    DOMAIN="student.users.big-ugly-domain.local"
Fi

exec /usr/bin/ntlm_auth --request-nt-key --username=${USERNAME} --domain=${DOMAIN} --challenge=${CHALLENGE} --nt-response=${NT_RESPONSE}
--------

More information about the Freeradius-Users mailing list