Multi-domain AD and Users Who Aren't So Bright

NdK ndk.clanbo at gmail.com
Thu Feb 2 18:33:19 CET 2012


Il 02/02/2012 13:35, McNutt, Justin M. ha scritto:

> Thoughts?  Opinions?  Better ways to accomplish any/all of this?
> 
> Briefly, there's probably not much you can do to improve this. If you
> have such a complex domain environment, you're going to have to write
> complex policies OR mandate your users always use the correct "DOM\user"
> format.
Or make 'em use their institutional email address. Easier to remember :)
Seems trivial but it might not be. At least in our case we have 3 kinds
of email addresses, referring to 2 domains. And the name before the '@'
sign might not be the same as the sAMAccountName.

I'm trying (with no luck :( ) to use
/usr/bin/net ads search -P "(mail=%{User-Name})" sAMAccountName|grep
sAMAccountName|sed "s/^[^ ]* //"
(maybe it's possible to do the same without using grep and sed, but it's
been just a quick test -- suggestions welcome).

Replacement is OK, but seems secrets.tdb can't be opened :( even if
permissions should be OK :-?

A limit of net ads search is that it searches only the default (joined)
domain, unless you specify another domain controller with -S or -I -- I
could easily do that based on the mail domain but in others setups it
could be harder.

BYtE,
 Diego.



More information about the Freeradius-Users mailing list