Freeradius 3 - Multiple sub-domains - NTLM/SAMBA

Alan DeKok aland at deployingradius.com
Mon Mar 23 14:09:25 CET 2020


On Mar 23, 2020, at 8:30 AM, Gregorio Luján Carboneras <gregorio_lujan at anadat.es> wrote:.
> 
> 
> Could you please give me any advice regarding how to configure freeradius 3 (PEAP-MSCHAP2), to works with multiple sub-domains via NTLM/SAMBA?
> 
> I need to authenticate users from multiple sub-domains in “User Principal Name (UPN)” format:
> 
> -Example:
> 
> user1 at domain.com
> user2 at it.domain.com
> user3 at sales.domain.com

  There are a number of things going on here.  First is the above user name strings.  These are just text strings.  The goal is to figure out how to map these strings to whatever is in AD.

> I have joined the freeradius to the active directory.

  FreeRADIUS doesn't going AD.  Samba joins AD.  The distinction is important.

  FreeRADIUS gets names && MS-CHAP data, and passes it to ntlm_auth, which in turn passes it to winbind, which passes it to AD.

> When I request the users informatation via “wbinfo” command, I don´t obtain the domain information (only usernames). And only appears users from the principal domain (domain.com)
> 
> -Example:
> 
> Freeradius# wbinfo –u | grep user
> user1

  See the Samba and wbinfo documentation for how to join / query different domains.

> Actually I don't really understand how the authentication between the freeradius and the AD is performed (via NTLM, SAMBA, Kerberos ... ???)

  Samba.  This is documented on my web site:

http://deployingradius.com/documents/configuration/active_directory.html

> Could someone please provide me with a link to documentation so I can understand it?

  See above.

  What you will have to do is ensure that the AD server knows about all of the sub domains.  That way you only need to have Samba join "domain.com", and Active Directory will take care of the rest.

  You *should* be able then to check that all of the users can authentication.  *Don't* do this with PEAP.  It's about 3 steps too soon.

  Instead, use ntlm_auth:

ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password

  Do this for multiple users in each domain.  Do NOT try to do anything with FreeRADIUS until that works.

  i.e. if ntlm_auth can't authenticate users for multiple sub-domains, then no amount of poking FreeRADIUS will make it work.

  If ntlm_auth works for multiple users in multiple subdomains, then that's the hard part done.  The next step is to configure FreeRADIUS to pass the right domain information.  That's pretty easy.

  In the default configuration, edit proxy.conf, and define all of the domains:

domain.com {
}
it.domain.com {
}
sales.domain.com {
}

  After that, PEAP *should* just work.  If it doesn't, post the debug output here.

  Alan DeKok.




More information about the Freeradius-Users mailing list