New User and AD Question

[McNutt, Justin M.]

> > [mschap]        expand: 
> --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->  
> --username=host/dnps-caplap-4.col.missouri.edu
> 
> That is not "%{mschap:User-Name}". i.e. it's misconfigured

Actually, I tried it both ways, since the longer string shown above was the default.

> > [mschap]        expand: --domain=%{mschap:NT-Domain} ->  
> --domain=col
> 
> Ah, yes. Now this I do remember. The %{mschap:NT-Domain} expansion 
> assumes that in a host account of the form:
> 
> host/username.domain.com
> 
> ...the old-style short domain is "domain". Of course, this falls apart 
> if you have a disjoint DNS/AD namespace:
> 
> host/username.subdomain.domain.com
> 
> ...or if your new-style DNS domain and old-style NT domain 
> don't match:
> 
> host/username.mycompany.com vs. NT domain of "CORP" - 
> mycompany != CORP

And this is the case.
	AD domain = col.missouri.edu
	NT domain = UMC-USERS

> The only real solution in this case is to not use the 
> %{mschap:NT-Domain} expansion - you can't, since there's not 
> enough info to get the old-style short domain name in all cases.
> 
> So, in /etc/raddb/modules/mschap, set (don't include the line 
> continuation \ I've added):
> 
>   ntlm_auth = "/path/to/ntlm_auth --request-nt-key \
>    --username=%{mschap:User-Name} --domain=YOURDOMAIN \
>    --challenge=... --nt-response=..."

Good news:  

Login OK: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port 573 cli 00-90-4B-2F-80-B4)
+- entering group post-auth {...}
++[exec] returns noop
} # server campus-eap
Sending Access-Accept of id 179 to 128.206.131.253 port 20009

Bad news:

I have a multi-domain environment.  If I hard-code the domain in here, then only users or hosts from that domain will be able to authenticate.  How can I make it recognize the others and behave correctly?

It's fine if I have to write some code using string matching and switch/case.  But I can't restrict access to only one domain.

--J