ntlm_auth, universal principal name, multi-domain active directory, howto?

Alan DeKok aland at deployingradius.com
Thu Jun 4 09:04:58 CEST 2009

freeradius at tarac.net wrote:
> Can freeradius be configured to authenticate users against an AD Forest (multi-domain) using universal principal name (UPN) and if so...how?

  Maybe FreeRADIUS needs to change to use Samba better, but anything
related to AD forest, etc. is really a Samba issue.

> We don't really care if we use Samba - integration via LDAP would be fine, but it appears that their is an issue with sending the password in the clear if LDAP is used. If this is inaccurate please let me know.

  It's correct.  Active Directory does NOT return the password via LDAP

> Everything "appears" configured correctly.  In fact authentication using the "exec ntlm_auth" configuration referenced in http://deployingradius.com/documents/configuration/active_directory.html works if the username and domain are specified.  Once we tried to use the UPN (without domain name) it does not.  Going back to the command line for ntlm_auth tests resulted in the following.

  That's... frustrating.  I'd suggest asking ntlm_auth questions on the
Samba list.  There's little we can do to help with that.

> Using a user account found in DEPT1.COMPANY.NET child domain
> ntlm_auth --username=user                  WORKS
> ntlm_auth --username=user --domain=DEPT1   WORKS
> ntlm_auth --username=user at company.net      DOES NOT WORK
> Using a user account found in DEPT2.COMPANY.NET child domain
> ntlm_auth --username=user                  DOES NOT WORK
> ntlm_auth --username=user --domain=DEPT2   WORKS
> ntlm_auth --username=user at company.net      DOES NOT WORK

  It's possible to configure FreeRADIUS to use the "correct" options to
ntlm_auth so that it magically works.  But that's a pain to manage.  It
would be nice if Samba and/or Active Directory just did the right thing.

  Barring fixes from Samba and (yeah, right) Microsoft, the simplest
thing is to configure FreeRADIUS with the magical command-line options
for ntlm_auth so that it works.  You will need to write rules for each

  Alan DeKok.

More information about the Freeradius-Users mailing list