Dear people, before doing the new test tomorrow with the AD authentication useing Freeradius, I need your help: I need to authenticate the Windows company users from their corresponding notebooks to our AD, through our Freeradius 2.2.5 server, and without certificate validation (I don’t install the CA certificate in any notebook at the moment). My AD administrator tell me that the defined domain in the Windows DC server is "company.com" but because it's an “old fashion” Windows server the company users authenticate from notebooks and desktops in this way: COMPANY\username So I replace all the "company.com" strings in my configuration files from samba, kerberos and freeradius for just "company". Is it OK what I do??? Please if you can give me the link of a step-by-step guide on Freeradius + AD auth, because there are seceral guides and they vary from one to another. Thanks again!!! 2017-06-22 11:49 GMT-03:00 Alejandro Cabrera Obed <aco1967@gmail.com>:
Thanks to all, Iwill try later and I will follow your advice.
Any failure, I'll keep in touch with you again.
Regards!!!
2017-06-22 11:46 GMT-03:00 Enrico Polesel <epol.lists@gmail.com>:
Hi all,
On Thu, Jun 22, 2017 at 4:11 PM Alan DeKok <aland@deployingradius.com> wrote:
Sending Access-Request of id 220 to 127.0.0.1 port 1812 User-Name = "alejandro@domain.com <alcabrera@g-bapro.net>"
Is the account in AD called "alejandro@domain.com"? Or is it just alejandro ?
Again... if you're testing a user in AD, you just need to test with the username that's in AD. There is simply no reason to do anything else.
Remember that AD has TWO usernames: the sAMAccountName (old style NetBios) and the userPrincipalName (new style, kerberos), the latest also includes the domain.
BUT windbind (and ntlm_auth) uses the sAMAccountName username, so be sure to pass that name and not the new userPrincipalName.
Cheers, Enrico - List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
-- // Alejandro //
-- // Alejandro //