ntlm_auth authentication against multiple ADS domains

Gaddis, Jeremy L. jeremy at linuxwiz.net
Fri Feb 9 05:28:49 CET 2007

On Thu, 8 Feb 2007, Dow, Corey wrote:
> up, and I have it working with a single ADS domain. The problem I've
> encountered is performing authentication against multiple ADS domains using
> ntlm_auth.
> ADS Parent domain netidm.net
> ADS Child domain xyz.abc.com

Are you actually trying to authenticate to domains in separate forests 
(e.g. netidm.net and abc.com) or are you trying to authenticate to both a 
parent and child domain in the same forest (e.g. abc.com and 

> If I join to abc.com using net ads join, I can use ntlm_auth with no
> problems, but how do I perform authentications against xyz.abc.com ?

If these domains are in separate forests, you'll need an explicit trust 
between the two forests.  In the domains are in the same forest, there's 
an implicit trust between them already.

Have you tried the reverse (joining child.abc.com and authenticating users 
in abc.com)?  Not saying that would work, just curious.

Any hints in the kerberos logfiles?

> Corey Dow
> Network Solution's Test Center
> ProCurve Networking by HP

Nice products.  =)  Any chance you could mail me (off-list) directions for 
disabling the password on a 9308m from the console (password is lost and I 
keep forgetting how).  I've bothered ProCurve support enough.  =)


Jeremy L. Gaddis, MCP, GCWN             jeremy at linuxwiz.net
LinuxWiz Consulting                     http://linuxwiz.net

More information about the Freeradius-Users mailing list