Freeradius 3 - Multiple sub-domains - NTLM/SAMBA

Mon Mar 23 17:23:50 CET 2020

Thank you very much Alan.

I´m checking your documentation and I will perform some tests.

One more question please:

When I type the command "wbinfo -u", I receibe a list of usernames in AD (only username, not in UPN format)

How can I check if a username listed belongs to one subdomin or another one?  (if belongs to "@sales.company.com" or "@it.company.com")

-----Mensaje original-----
De: Freeradius-Users [mailto:freeradius-users-bounces+gregorio_lujan=anadat.es at lists.freeradius.org] En nombre de Alan DeKok
Enviado el: lunes, 23 de marzo de 2020 14:09
Para: FreeRadius users mailing list
Asunto: Re: Freeradius 3 - Multiple sub-domains - NTLM/SAMBA

PRECAUCIÓN : Este correo electrónico se originó fuera de Anadat Technology. No haga clic en enlaces ni abra archivos adjuntos a menos que reconozca al remitente y sepa que el contenido es seguro.

On Mar 23, 2020, at 8:30 AM, Gregorio Luján Carboneras <gregorio_lujan at anadat.es> wrote:.
>
>
> Could you please give me any advice regarding how to configure freeradius 3 (PEAP-MSCHAP2), to works with multiple sub-domains via NTLM/SAMBA?
>
> I need to authenticate users from multiple sub-domains in “User Principal Name (UPN)” format:
>
> -Example:
>
> user1 at domain.com
> user2 at it.domain.com
> user3 at sales.domain.com

  There are a number of things going on here.  First is the above user name strings.  These are just text strings.  The goal is to figure out how to map these strings to whatever is in AD.

> I have joined the freeradius to the active directory.

  FreeRADIUS doesn't going AD.  Samba joins AD.  The distinction is important.

  FreeRADIUS gets names && MS-CHAP data, and passes it to ntlm_auth, which in turn passes it to winbind, which passes it to AD.

> When I request the users informatation via “wbinfo” command, I don´t obtain the domain information (only usernames). And only appears users from the principal domain (domain.com)
>
> -Example:
>
> Freeradius# wbinfo –u | grep user
> user1

  See the Samba and wbinfo documentation for how to join / query different domains.

> Actually I don't really understand how the authentication between the freeradius and the AD is performed (via NTLM, SAMBA, Kerberos ... ???)

  Samba.  This is documented on my web site:

http://deployingradius.com/documents/configuration/active_directory.html

> Could someone please provide me with a link to documentation so I can understand it?

  See above.

  What you will have to do is ensure that the AD server knows about all of the sub domains.  That way you only need to have Samba join "domain.com", and Active Directory will take care of the rest.

  You *should* be able then to check that all of the users can authentication.  *Don't* do this with PEAP.  It's about 3 steps too soon.

  Instead, use ntlm_auth:

ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password

  Do this for multiple users in each domain.  Do NOT try to do anything with FreeRADIUS until that works.

  i.e. if ntlm_auth can't authenticate users for multiple sub-domains, then no amount of poking FreeRADIUS will make it work.

  If ntlm_auth works for multiple users in multiple subdomains, then that's the hard part done.  The next step is to configure FreeRADIUS to pass the right domain information.  That's pretty easy.

  In the default configuration, edit proxy.conf, and define all of the domains:

domain.com {
}
it.domain.com {
}
sales.domain.com {
}

  After that, PEAP *should* just work.  If it doesn't, post the debug output here.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
De manera general,  “ANADAT TECHNOLOGY, S. L.”  garantiza la adopción de las medidas necesarias para asegurar el tratamiento confidencial de los datos de carácter personal, y le ofrece la posibilidad de ejercer su derecho de acceso, rectificación, supresión, oposición, portabilidad, limitación y decisiones individualizadas al tratamiento de sus datos personales, en los términos y condiciones previstos en el Reglamento General de Protección de Datos (RGPD), a través del correo electrónico info at anadat.es<mailto:info at anadat.es> .

La información confidencial que pudiera contener este mensaje está destinada para ser leída únicamente por el destinatario. Nadie excepto él podrá leer, usar, publicar o reproducir el contenido parcial o total de este mensaje. En caso de recibir un mensaje por error, por favor notifíquelo al remitente lo antes posible.