New User and AD Question
Phil Mayers
p.mayers at imperial.ac.uk
Wed Mar 2 18:27:18 CET 2011
On 02/03/11 17:11, McNutt, Justin M. wrote:
>> %{mschap:NT-Domain} is not a real variable; it's a dynamic
>> expansion. There's no attribute you can "set", so you'll need to
>> use another attribute (see my other email)
>
> Gotcha. I'm looking into that now (based on your other e-mail).
> That's very likely do-able.
>
>>> I think it should be a flag - set to the current "NT-style
>>> guessing as the default - to maintain backward compatibility an
>>> ease of removal in case it turns out to be a Very Bad Idea
>>> Indeed.
>>>
>>> What do you think?
>>
>> I agree. However, as I say - I am pretty sure that long-form won't
>> work either if you have a disjoint DNS/AD namespace. In that case,
>> sites are going to have to use locally-defined rules.
>
> I'm not following what you mean about "disjoint namespace". You mean
> the difference between "UMC-USERS" and "col.missouri.edu"? I think
> of "UMC-USERS" as "NT namespace" whereas I see AD and DNS as the same
> thing, in this case.
Disjoint namespace is the term used if you have DNS names for windows
active directory members which are anything other than:
samaccountname.<AD domain>
So, if you give your hosts DNS hostnames of:
samaccountname.dept.<AD domain>
...this is a disjoint namespace. This is a supported configuration in
principle - AD itself and most of the Microsoft tools work just fine -
but in practice you'll find an awful lot of 3rd party stuff out there
assumes that the AD domain starts at the first "." in the hostname, and
will break if it doesn't.
This makes me sad, since the underlying protocols at AD is built on
(DNS, Kerberos, LDAP) have plenty of mechanisms for doing the mapping
properly. They're just not used.
More information about the Freeradius-Users
mailing list