ntlm_auth, universal principal name, multi-domain active directory, howto?

Rupert Finnigan rupert.finnigan at googlemail.com
Thu Jun 4 00:10:50 CEST 2009

Hi Adam,

I've been experimenting with something very similar recently.....
ntlm_auth can handle authentication in one of the follow:

1. --username = "NetBIOS Domain Name"\"Username", no --domain parameter

2. --username = "Username", --domain = "NetBOIS Domain Name"

3. --username = "Username", --domain = "FQDN of domain".

In your case, the problem is it doesn't know which actual domain the user is
in, based on the UPN. So, my thoughts are you've got two options:

1. Make the users login using a principal of username at FQDN, so
someuser at dept1.company.net and use some logic to "split" the username into
the two sections using the @ as a delimiter. Maybe attr_rewrite module would
be good for this.

2. Configure some form of way to lookup the users "real" domain from AD
(probably via LDAP, or maybe there's a samba related tool for this?) and
then pass that to ntlm_auth, either in the newer FQDN style, or the legacy
NetBIOS style.

Unfortunately, I'm not too hot on the various logic options available in FR,
as I'm only really just starting playing in Unlang. Hopefully someone else
will be able to help with providing a working logic config, once you've
decided with method best suits your requirements.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090603/bb77a17f/attachment.html>

More information about the Freeradius-Users mailing list