Multi-domain AD and Users Who Aren't So Bright

Phil Mayers p.mayers at imperial.ac.uk
Fri Feb 3 13:48:30 CET 2012


On 02/02/2012 05:33 PM, NdK wrote:
> Il 02/02/2012 13:35, McNutt, Justin M. ha scritto:
>
>> Thoughts?  Opinions?  Better ways to accomplish any/all of this?
>>
>> Briefly, there's probably not much you can do to improve this. If you
>> have such a complex domain environment, you're going to have to write
>> complex policies OR mandate your users always use the correct "DOM\user"
>> format.
> Or make 'em use their institutional email address. Easier to remember :)

This doesn't work, unless username == email local part.

> Seems trivial but it might not be. At least in our case we have 3 kinds
> of email addresses, referring to 2 domains. And the name before the '@'
> sign might not be the same as the sAMAccountName.

Exactly. And this name is mixed into the challenge/response. If you try 
to use email addresses, the client will calculate:

   response = crypto(challenge, e.mail at domain.com, password)

Let's assume you map email -> username on your radius servers:

   Real-Username = some_lookup(User-Name)

...and you then call ntlm_auth, this basically asks the domain controllers:

   is_valid(Real-Username, challenge, response)

The domain controllers do this:

   expected_response = crypto(challenge, samaccountname, stored_password)
   if response != expected_response:
     error
   else
     success

See the problem? The domain controller performs its crypto calculation 
on the samaccountname. The client performs its crypto on the email 
addresses. The results differ, and authentication fails.

Basically, usernames != email address, unless you MAKE them the same.



More information about the Freeradius-Users mailing list