Authenticating Against a Trusted Domain
Does anyone know of some documentation on authenticating freeradius against a trusted domain? For example: We have a domain (ourdomain) that has a trust established with another domain (anotherdomain). I'm attempting to get freeradius to send auth requests to anotherdomain by way of ourdomain (which holds the trust). We are able to do this with file shares. For instance, we have a file server connected to ourdomain and users within anotherdomain that have NTFS permissions on the file server. The file server receives the connection, asks ourdomain for authentication, ourdomain then asks its trusted anotherdomain... and the result comes back allowing access. In addition, we have users on laptops connected to ourdomain but using their anotherdomain usernames to access the shares. They simply supply 'ANOTHERDOMAIN\user_name' as the username and the DCs on ourdomain forward the request up the trust. I haven't been successful with using Samba (which is connected to ourdomain)... I can get Samba to authenticate users on ourdomain but not the trusted anotherdomain. I figured I would give LDAP a try but can't find any documentation on the correct LDAP requests for freeradius. Any pointers? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Josh wrote:
I haven't been successful with using Samba (which is connected to ourdomain)... I can get Samba to
You didn't specify what authentication type you're trying to get working. I suspect you're trying to use PEAP-MSCHAP for wireless, yes? There have been posts in the last few days about this - it seems that a Samba server may be able to do cross-realm fileshare or plaintext auth, but not cross-realm MS-CHAP. This may depend on settings on one or both ends, or may be more fundamental - it's been long enough since I've been involved in windows domain protocols that I can't tell. What errors are you getting, and what is your configuration?
authenticate users on ourdomain but not the trusted anotherdomain. I figured I would give LDAP a try but can't find any documentation on the correct LDAP requests for freeradius.
LDAP to a "real" AD domain (which I assume "anotherdomain" is) is only useful if you want to answer PAP requests. What part of the extensively commented ldap stanza in radiusd.conf or the doc/rlm_ldap file is unclear?
Yes, "anotherdomain" is an AD domain, however, my freeradius server can only talk to "ourdomain". ourdomain has a trust with anotherdomain and can pass windows authentication (file shares, etc.) over the trust for authentication. Is it possible to authenticate "anotherdomain" users via LDAP from the freeradius server by piping the auth requests through "mydomain" (which should then, as windows does, recognize the domain from "anotherdomain\username" and send the auth request up the trust)? I'm obviously formulating the wrong LDAP queries. But if this isn't even possible I won't bother spinning in circles. Josh --- Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Josh wrote:
I haven't been successful with using Samba (which
is
connected to ourdomain)... I can get Samba to
You didn't specify what authentication type you're trying to get working. I suspect you're trying to use PEAP-MSCHAP for wireless, yes?
There have been posts in the last few days about this - it seems that a Samba server may be able to do cross-realm fileshare or plaintext auth, but not cross-realm MS-CHAP. This may depend on settings on one or both ends, or may be more fundamental - it's been long enough since I've been involved in windows domain protocols that I can't tell.
What errors are you getting, and what is your configuration?
authenticate users on ourdomain but not the trusted anotherdomain. I figured I would give LDAP a try but can't find any documentation on the correct LDAP requests for freeradius.
LDAP to a "real" AD domain (which I assume "anotherdomain" is) is only useful if you want to answer PAP requests.
What part of the extensively commented ldap stanza in radiusd.conf or the doc/rlm_ldap file is unclear? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
participants (2)
-
Josh -
Phil Mayers