RE: Freeradius-Users Digest, Vol 134, Issue 11
Hi Alan, thanks for replying. I will try to provide some clarification:
Then I can pass the domain to the ntlm_auth command by using the "-domain=%{realm}" parameter. Everything works fine as long User->Name is in the format <username>@<my.domain.name>.
HOWEVER, the big problem I'm encountering is that we need users to authenticate via alternate UPN suffixes. It turns out Ntlm_auth will not authenticate against these suffixes, only the actual domain names.
What does that mean? "actual domain name" ?
The "actual domain name" is the active directory domain name that was used when the AD domain was originally created. Microsoft allows you to create "alternate UPN suffixes" which are like aliases for the domain (e.g. like this http://www.tutorialspoint.com/articles/adding-alternate-upn-suffix-to-active...). The ntlm_auth command will not authenticate against alternate active directory UPN You must use the original active directory domain name. I realize this is not a freeradius problem but a Samba problem. Still, I was wondering if there was an elegant way to configure freeradius to work around this limitation. For the time being, I did a brutal hack to get it to work:
From /etc/freeradius/modules/mschap: ---- SNIP ---- # Choose the right AD domain to authenticate against. ntlm_auth = "/usr/local/bin/ntlm_auth_UPN %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{realm} %{%{mschap:Challenge}:-00} %%{mschap:NT-Response}:-00}" ---- SNIP ----
Contents of /usr/local/bin/ntlm_auth_UPN: -------- #!/bin/sh # This script is a workaround to deal w/ the fact that the ntlm_auth # command does not authenticate properly using alternate UPN suffixes # in active directory domains. It is hardcoded to fix the domain. # USERNAME=$1 DOMAIN=$2 CHALLENGE=$3 NT_RESPONSE=$4 # Rewrite the suffix for office employees. if [ "${DOMAIN}" = "boguscorp.org" ] ; then # Set the AD domain we need to login to. DOMAIN="office.users.big-ugly-domain.local" Fi # Rewrite the suffix for students. if [ "${DOMAIN}" = "bcstudents.org" ] ; then # Set the AD domain we need to login to. DOMAIN="student.users.big-ugly-domain.local" Fi exec /usr/bin/ntlm_auth --request-nt-key --username=${USERNAME} --domain=${DOMAIN} --challenge=${CHALLENGE} --nt-response=${NT_RESPONSE} --------
Hi,
The ntlm_auth command will not authenticate against alternate active directory UPN You must use the original active directory domain name.
then dont use the domain - just use the stripped name with ntlm_auth (so ensure the realm is valid for strip in proxy.conf) and/or use the mschap:User-Name - alternatively, add a local dictionary attribute, assign the current %{relam{ to it and use that on the ntlm_auth line with --domain instead. alan
On Mon, Jun 06, 2016 at 09:01:15PM +0000, Shawn Wilson wrote:
The ntlm_auth command will not authenticate against alternate active directory UPN You must use the original active directory domain name.
I realize this is not a freeradius problem but a Samba problem.
Actually, sounds like a Microsoft problem to me...
Still, I was wondering if there was an elegant way to configure freeradius to work around this limitation.
For the time being, I did a brutal hack to get it to work:
...
ntlm_auth = "/usr/local/bin/ntlm_auth_UPN %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{realm} %{%{mschap:Challenge}:-00} %%{mschap:NT-Response}:-00}" ... exec /usr/bin/ntlm_auth --request-nt-key --username=${USERNAME} --domain=${DOMAIN} --challenge=${CHALLENGE} --nt-response=${NT_RESPONSE}
This means you're execing two processes each time. ntlm_auth doesn't scale well, and this won't help. Just update a local attribute (e.g. Tmp-String-1) in unlang (e.g. switch) with the required data and pass that through to ntlm_auth. Or use recent FreeRADIUS+Samba and use winbind_username / winbind_domain instead to skip ntlm_auth altogether. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Matthew Newton -
Shawn Wilson