On Wed, Oct 16, 2013 at 05:36:14PM -0700, Matthew Ceroni wrote:
Thanks. I figured that would be the answer. I will come up with a solution based on your recommendations.
If you have access to both domains then you should be able to auth against one, and if that fails, try the other. It works best if there is a trust relationship between the domains, so your RADIUS server only has to be joined to one domain. Otherwise you should be able to run two instances of samba, each joined to the different domain, and then try each auth against both. If you're using EAP-TTLS then you have access to the plaintext password, so can auth againt the parent domain's LDAP if you're not actually joined. Nasty, but it will work. If this is too complicated, and they don't have their own RADIUS server, then you should be able to set up a second server that is joined to their domain, and then proxy to that keyed off the realm, or the form of the username, or the MAC address, etc. (I'd try and find something that lets you identify the distinct groups of users, to save having to manually maintain a list of MAC addresses - even if it's "add @parentdomain to your username" or similar. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>