New User and AD Question

McNutt, Justin M. McNuttJ at
Wed Mar 2 18:11:46 CET 2011

> %{mschap:NT-Domain} is not a real variable; it's a dynamic expansion. 
> There's no attribute you can "set", so you'll need to use another 
> attribute (see my other email)

Gotcha.  I'm looking into that now (based on your other e-mail).  That's very likely do-able.

> > I think it should be a flag - set to the current "NT-style guessing
> > as the default - to maintain backward compatibility an ease of
> > removal in case it turns out to be a Very Bad Idea Indeed.
> >
> > What do you think?
> I agree. However, as I say - I am pretty sure that long-form won't work 
> either if you have a disjoint DNS/AD namespace. In that case, sites are 
> going to have to use locally-defined rules.

I'm not following what you mean about "disjoint namespace".  You mean the difference between "UMC-USERS" and ""?  I think of "UMC-USERS" as "NT namespace" whereas I see AD and DNS as the same thing, in this case.

In any event, in the test cases where I hard-coded one of the domain names into the ntlm_auth string, I used "" (DNS/long form) and this worked.  So I'm confident in that part.  I'd just like to see it done automatically, given a user flag that asks it to do so.


More information about the Freeradius-Users mailing list