ntlm_auth, universal principal name, multi-domain active directory, howto?

freeradius at tarac.net freeradius at tarac.net
Wed Jun 3 23:00:35 CEST 2009

New to freeradius & samba - and first post here.

Rather long post so to cut to the heart of the question:

Can freeradius be configured to authenticate users against an AD Forest (multi-domain) using universal principal name (UPN) and if so...how?

I'm posting here because our only need for samba is freeradius integration to AD - but if I need to go to the Samba community just let me know. 

The ultimate goal is to have the majority of remote access users authenticate using their universal principal names (UPN) from AD.  The path of that authentication however is not direct.

RA Appliance --> Freeradius (Proxy) --> Freeradius --> AD

There are some instances where we need users to authenticate from a repository other than AD, so Freeradius has been configured against both MySQL (primarily to hold NAS information & accounting info, but could potentially host users) and Openldap.

The MySql & Openldap configs are working just fine.

We don't really care if we use Samba - integration via LDAP would be fine, but it appears that their is an issue with sending the password in the clear if LDAP is used. If this is inaccurate please let me know.

Everything "appears" configured correctly.  In fact authentication using the "exec ntlm_auth" configuration referenced in http://deployingradius.com/documents/configuration/active_directory.html works if the username and domain are specified.  Once we tried to use the UPN (without domain name) it does not.  Going back to the command line for ntlm_auth tests resulted in the following.

Using a user account found in DEPT1.COMPANY.NET child domain

ntlm_auth --username=user                  WORKS
ntlm_auth --username=user --domain=DEPT1   WORKS
ntlm_auth --username=user at company.net      DOES NOT WORK

Using a user account found in DEPT2.COMPANY.NET child domain

ntlm_auth --username=user                  DOES NOT WORK
ntlm_auth --username=user --domain=DEPT2   WORKS
ntlm_auth --username=user at company.net      DOES NOT WORK

All of the DOES NOT WORK result in the same error.

NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)

tcpdumps of the ntlm_auth traffic validate that all requests are being sent to one of the domain controllers within DEPT1.COMPANY.NET

The internal freeradius host is in the child domain DEPT1.COMPANY.NET based on policy.  If moving the server to COMPANY.NET is required that could be considered, however preference is to leave it in DEPT1.COMPANY.NET.

Linux Host
RHEL 5.2
Freeradius 2.1.6
Samba 3.3.4

Active Directory
Multi-Domain Model
Native Mode Win2003
Root Domain - company.net
Child Domain - dept1.company.net
Child Domain - dept2.company.net
Child Domain - dept9.company.net

For the sake of testing we are currently only configured for the root, child domains dept1 and dept2.  We do not have admin_server entries because all of the examples reference port 749 which is not running on any of the domain controllers or global catalogs.  

I am including sanitized copies of the krb5.conf and smb.conf because they seem pertinent to the question. If any of the freeradius config files, nsswitch or some other information is needed just let me know.




 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = DEPT1.COMPANY.NET
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

  kdc = gc01.company.net:88
  kdc = gc02.company.net:88
  kdc = gc03.company.net:88

  kdc = dept1-dc01.dept1.company.net:88
  kdc = dept1-dc02.dept1.company.net:88
  kdc = dept1-dc03.dept1.company.net:88

  kdc = dept2-dc01.dept2.company.net:88
  kdc = dept2-dc02.dept2.company.net:88
  kdc = dept3-gc01.dept2.company.net:88

 .company.net = COMPANY.NET
 .dept1.company.net = DEPT1.COMPANY.NET
 .dept2.company.net = DEPT2.COMPANY.NET

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false



        workgroup = DEPT1
        netbios name = AAA-Server
        realm = DEPT1.COMPANY.NET
        security = ADS
        template shell = /bin/bash
        idmap uid = 500-10000000
        idmap gid = 500-10000000
        winbind nested groups = Yes
        winbind enum users = yes
        winbind enum groups = yes
        server string = AAA

        comment = Home Directories
        browseable = no
        writable = yes

More information about the Freeradius-Users mailing list