Multi-domain AD and Users Who Aren't So Bright
NdK
ndk.clanbo at gmail.com
Mon Feb 13 10:34:27 CET 2012
Il 12/02/2012 23:54, McNutt, Justin M. ha scritto:
> I'm not sure why, then, but it actually does work. We have shown that with the client configured to use "user at e.mail.address" (where e.mail.address is NOT the same as the AD domain), if I have FR look for 'e.mail.address' and translate it to the correct NT domain, authentication succeeds.
See Phil's answer on Feb 03 18:57 ...
That's because domains (both NT-like and Kerberos-like) get stripped
from crypto ops. Too bad you can't change user name when calling
ntlm_auth (that's what I'd have to do for users with an UPN change).
> The user name must not be part of the crypto calculation or it would fail. I've been able to "correct" all kinds of things in the user name and set the domain manually to whatever I want. As long as I supply the correct password on the client side to what I happen to know the RADIUS server has mapped my ID to, authentication is successful.
The 'user' *is* part of the crypto. '@e.mail.address' (or 'DOMAIN\') is not.
BYtE,
Diego.
More information about the Freeradius-Users
mailing list