On Mon, Jun 06, 2016 at 09:01:15PM +0000, Shawn Wilson wrote:
The ntlm_auth command will not authenticate against alternate active directory UPN You must use the original active directory domain name.
I realize this is not a freeradius problem but a Samba problem.
Actually, sounds like a Microsoft problem to me...
Still, I was wondering if there was an elegant way to configure freeradius to work around this limitation.
For the time being, I did a brutal hack to get it to work:
...
ntlm_auth = "/usr/local/bin/ntlm_auth_UPN %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{realm} %{%{mschap:Challenge}:-00} %%{mschap:NT-Response}:-00}" ... exec /usr/bin/ntlm_auth --request-nt-key --username=${USERNAME} --domain=${DOMAIN} --challenge=${CHALLENGE} --nt-response=${NT_RESPONSE}
This means you're execing two processes each time. ntlm_auth doesn't scale well, and this won't help. Just update a local attribute (e.g. Tmp-String-1) in unlang (e.g. switch) with the required data and pass that through to ntlm_auth. Or use recent FreeRADIUS+Samba and use winbind_username / winbind_domain instead to skip ntlm_auth altogether. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>