On Jan 17, 2019, at 4:26 AM, WAGHORN, Jason (NHS BORDERS) via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hello all, apologies for this - I'm having an issue where I have a single Kerberos realm (published as the RADIUS realm) but multiple AD containers behind that, within which the users sit. The RADIUS/Kerberos server is joined to the domain and authentication via ntlm_auth works for both containers (if one specifies the container explicitly)
AD doesn't handle multiple domains very well. i.e. if all of the domains are in the AD forest, it's OK. If you need to use different AD forests for different domains, it's hard.
# ntlm_auth --username=testusera --domain=a.example.com Password: NT_STATUS_OK: The operation completed successfully. (0x0) # ntlm_auth --username=testuserb --domain=b.example.com Password: NT_STATUS_OK: The operation completed successfully. (0x0) #
So: Kerberos/RADIUS realm = example.com; users are in containers a.example.com & b.example.com
Can I use the krb5.conf to handle the users as "user@example.com" and automatically have it try both containers (i.e. a.example.com & b.example.com)?
The "krb5" module in the server just connects to a kerberos server. It doesn't really know about domains. If you need to connect to 2 different kerberos servers, configure two krb5 modules. Then, select one or the other based on the domain.
I'm surmising that I need to do this in the realms and/or domain_realm sections - but the documentation isn't making a whole lot of sense to me at this stage (could be related to a caffeine deficit)
TBH, I'm not clear what you want. Why not just use ntlm_auth if that works? Alan DeKok.