Multi-domain AD and Users Who Aren't So Bright

McNutt, Justin M. McNuttJ at missouri.edu
Sun Feb 12 23:54:11 CET 2012 

I'm not sure why, then, but it actually does work.  We have shown that with the client configured to use "user at e.mail.address" (where e.mail.address is NOT the same as the AD domain), if I have FR look for 'e.mail.address' and translate it to the correct NT domain, authentication succeeds.

The user name must not be part of the crypto calculation or it would fail.  I've been able to "correct" all kinds of things in the user name and set the domain manually to whatever I want.  As long as I supply the correct password on the client side to what I happen to know the RADIUS server has mapped my ID to, authentication is successful.

--J

From: Phil Mayers <p.mayers at imperial.ac.uk<mailto:p.mayers at imperial.ac.uk>>
Reply-To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>>
Date: Fri, 3 Feb 2012 12:48:30 +0000
To: <freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>>
Subject: Re: Multi-domain AD and Users Who Aren't So Bright

On 02/02/2012 05:33 PM, NdK wrote:
Il 02/02/2012 13:35, McNutt, Justin M. ha scritto:

Thoughts?  Opinions?  Better ways to accomplish any/all of this?

Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
complex policies OR mandate your users always use the correct "DOM\user"
format.
Or make 'em use their institutional email address. Easier to remember :)

This doesn't work, unless username == email local part.

Seems trivial but it might not be. At least in our case we have 3 kinds
of email addresses, referring to 2 domains. And the name before the '@'
sign might not be the same as the sAMAccountName.

Exactly. And this name is mixed into the challenge/response. If you try
to use email addresses, the client will calculate:

   response = crypto(challenge, e.mail at domain.com<mailto:e.mail at domain.com>, password)

Let's assume you map email -> username on your radius servers:

   Real-Username = some_lookup(User-Name)

...and you then call ntlm_auth, this basically asks the domain controllers:

   is_valid(Real-Username, challenge, response)

The domain controllers do this:

   expected_response = crypto(challenge, samaccountname, stored_password)
   if response != expected_response:
     error
   else
     success

See the problem? The domain controller performs its crypto calculation
on the samaccountname. The client performs its crypto on the email
addresses. The results differ, and authentication fails.

Basically, usernames != email address, unless you MAKE them the same.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list