AW: ntlm_auth authentication against multiple ADS domains

Habegger Lukas, ERZ-AZD-AIL lukas.habegger at
Fri Feb 9 13:28:38 CET 2007


I don't know exactly what you have to do.

I have implemented something like this.

-------         -------
| RAD |---------| AD1 |
-------         -------
    |           -------
    ------------| AD2 |

It's done with a perl module over rlm_perl.

The perl module looks for witch domain the request is and starts the
right winbind-daemon.
It's not really nice. The problem is that a samba server only could be
member of one domain.

The samba team said that samba4 would support more then one domain or
you could change the samba3-code
to support multiple sockets on winbind (i think it was discussed on the

If you can build trusts between the domains it's much more easier. This
way you can auth on a single point.
It should look like this

-------         -------
| RAD |---------| AD1 |
-------         -------
                | AD2 |

A other way is to proxy the requests to a radius on the samba server. It
looks like this

-------         -------------
| RAD |---------| RAD - AD1 |
-------         -------------
    |           -------------
    ------------| RAD - AD2 |

If you need more infos about my implementation write again.


More information about the Freeradius-Users mailing list