AW: ntlm_auth authentication against multiple ADS domains
Habegger Lukas, ERZ-AZD-AIL
lukas.habegger at erz.be.ch
Fri Feb 9 13:28:38 CET 2007
Hi
I don't know exactly what you have to do.
I have implemented something like this.
------- -------
| RAD |---------| AD1 |
------- -------
| -------
------------| AD2 |
-------
It's done with a perl module over rlm_perl.
The perl module looks for witch domain the request is and starts the
right winbind-daemon.
It's not really nice. The problem is that a samba server only could be
member of one domain.
The samba team said that samba4 would support more then one domain or
you could change the samba3-code
to support multiple sockets on winbind (i think it was discussed on the
samba-mailinglist).
If you can build trusts between the domains it's much more easier. This
way you can auth on a single point.
It should look like this
------- -------
| RAD |---------| AD1 |
------- -------
|
-------
| AD2 |
-------
A other way is to proxy the requests to a radius on the samba server. It
looks like this
------- -------------
| RAD |---------| RAD - AD1 |
------- -------------
| -------------
------------| RAD - AD2 |
-------------
If you need more infos about my implementation write again.
Lukas
More information about the Freeradius-Users
mailing list