freeradius@tarac.net wrote:
Can freeradius be configured to authenticate users against an AD Forest (multi-domain) using universal principal name (UPN) and if so...how?
Maybe FreeRADIUS needs to change to use Samba better, but anything related to AD forest, etc. is really a Samba issue.
We don't really care if we use Samba - integration via LDAP would be fine, but it appears that their is an issue with sending the password in the clear if LDAP is used. If this is inaccurate please let me know.
It's correct. Active Directory does NOT return the password via LDAP queries.
Everything "appears" configured correctly. In fact authentication using the "exec ntlm_auth" configuration referenced in http://deployingradius.com/documents/configuration/active_directory.html works if the username and domain are specified. Once we tried to use the UPN (without domain name) it does not. Going back to the command line for ntlm_auth tests resulted in the following.
That's... frustrating. I'd suggest asking ntlm_auth questions on the Samba list. There's little we can do to help with that.
Using a user account found in DEPT1.COMPANY.NET child domain
ntlm_auth --username=user WORKS ntlm_auth --username=user --domain=DEPT1 WORKS ntlm_auth --username=user@company.net DOES NOT WORK
Using a user account found in DEPT2.COMPANY.NET child domain
ntlm_auth --username=user DOES NOT WORK ntlm_auth --username=user --domain=DEPT2 WORKS ntlm_auth --username=user@company.net DOES NOT WORK
It's possible to configure FreeRADIUS to use the "correct" options to ntlm_auth so that it magically works. But that's a pain to manage. It would be nice if Samba and/or Active Directory just did the right thing. Barring fixes from Samba and (yeah, right) Microsoft, the simplest thing is to configure FreeRADIUS with the magical command-line options for ntlm_auth so that it works. You will need to write rules for each domain... Alan DeKok.