Kerberos realm vs NT domain
aland at deployingradius.com
Thu Jan 17 16:02:54 CET 2019
On Jan 17, 2019, at 9:56 AM, WAGHORN, Jason (NHS BORDERS) via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> It's for a govroam RADIUS - locally it needs to authenticate against AD. 95% of the users are in one container, 5% in another. Ideal world I'd like 100% of users to be able to authenticate, I'd be delighted to get 95% working and move the other 5% to be in the same container...
> RADIUS realm = example.com
> AD domains = a.example.com & b.example.com
> If I use ntlm_auth from the command line of the RADIUS server and explicitly specify the domain a.example.com then authentication is successful.
> If I use ntlm_auth from the command line of the RADIUS server and don't specify the domain a.example.com then authentication is unsuccessful.
> If I use a radius client user at example.com and user is valid in AD domain a.example.com then FR returns
> (7) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
> (7) mschap: External script failed
> (7) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
> (7) mschap: ERROR: MS-CHAP2-Response is incorrect
The short answer there is to fix AD so that it looks users up in the right domain... it should be able to do this.
> My supposition is that I'm not passing the correct AD domain to authenticate but I cannot fathom where I need to modify the config to make that translation.
A better question is what is the "correct" AD domain? How do you know which user is in which domain?
i.e. can *FreeRADIUS* tell which user is in which domain?
If so, the configuration should be simple. If not, it gets a lot more complex.
More information about the Freeradius-Users