authenticate machine accounts with ntlm_auth

Michael Fisher mike at chorleyservices.com
Mon Aug 1 14:05:49 CEST 2005


Kris Benson wrote:

>>>I'm very frustrated now after spending a couple of weeks trying to get
>>>free radius to authenticate my Win2k machine accounts against active
>>>directory. :-(
>>>      
>>>
>> Sorry, blame Microsoft.  It isn't possible, but they don't make it
>>obvious that it's not possible.
>>
>>    
>>
>>>Alan, do you know of any way to get this working.  I have been assured
>>>that Funk can do this, have you any idea how Funk are doing it.  Funk
>>>costs too much.  Maybe I'm not allowed to ask such questions.
>>>      
>>>
>> Funk does it by running the radius server on the AD server.  At that
>>point, they can use *internal* Windows API's or hacks to get at the
>>data.  Since FreeRADIUS is running externally, it can't use those
>>API's, and thus won't work.
>>
>> FreeRADIUS *will* run on XP.  If someone were to write the necessary
>>code, you could run the server on XP, and do what Funk does.
>>    
>>
>
>It sounds to me like you're saying this is a server-side issue.  Since AD
>is available via LDAP, why couldn't this FreeRadius install just use
>rlm_ldap to access the machine account info in AD?
>
>The Microsoft side of things isn't my greatest strength, least of all the
>AD/LDAP stuff, but it seems as though this *should* work.
>
>:-)
>
>
>
>
>-kb
>--
>Kris Benson, CCP, I.S.P.
>Technical Analyst, District Projects
>School District #57 (Prince George)
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>
AD unfortunatly does not provide the passwords via ldap, the 
authentication gets passed on to  a kerberos implamentation, LDAP just 
provide group information. I'd look in to a solution for radius that is 
able to either athenticate via machine accounts provided via winbindd, 
or an implamentation that is abble to use kerberos for user account 
athentication information.



More information about the Freeradius-Users mailing list