AD authenication issue with machine authentication
Phil Mayers
p.mayers at imperial.ac.uk
Wed Oct 20 10:04:30 CEST 2010
On 10/19/2010 10:37 PM, Cannady, Mike wrote:
>
> Our AD (2003) setup has the domain name as "htc.com". The pre-windows
> 2000 domain name is "HORRY".
Uh oh. Then I think you're going to have problems. ntlm_auth when it
expands %{mschap:NT-Domain} assumes that the username will be of the form:
host/machinename.prewin2kname.domain.com
That is, that the downlevel domain is the first component of the new
domain. You can either hardcode the domain, or write some unlang/regexp
to extract the domain yourself e.g.
if (User-Name =~ /host\/([^.]+)\.(.+)/) {
update request {
User-Name = "%{1}$"
Tmp-String-0 = "%{2}"
}
if (Tmp-String-0 =~ /.*\.htc\.com/i) {
update config {
My-Mschap-Domain := "HTC.COM"
}
}
}
...and set your ntlm_auth command to contain:
... --domain=%{%{My-Mschap-Domain}:-%{mschap:NT-Domain}}
...making sure to define the My-Mschap-Domain in /etc/raddb/dictionary:
ATTRIBUTE My-Mschap-Domain 3000 string
TBH I'm not sure what the "right" approach for FreeRadius to take is.
It's possible for the host/name syntax to contain lots of stuff e.g. DNS
names which are children of (or completely unrelated to) either the
downlevel or win2k-style domain. Short of hard-coding the domain or
doing something like above, it's difficult to see how FreeRadius could
handle this. I wonder what Microsoft NPS does?
More information about the Freeradius-Users
mailing list