Changing domain for ntlm_auth

NdK ndk.clanbo at
Wed Jan 25 15:36:59 CET 2012

Il 25/01/2012 12:48, Alan DeKok ha scritto:

>> To let (most (*)) users login with their e-mail address, I'd need to
>> "translate" the realm part to a domain.
>   I'm not sure why.
Because KRB5-domain and DNS-domain are different in my setup. And I
can't change it.

>> So I added to proxy.conf :
> ...
>> realm "~^studio\\.unibo\\.it" {
>>     Realm := "STUDENTI"
>> }
>   Huh?  NOTHING in the documentation or examples says that should work.
>    It won't work.  Don't do it.

>> What I thought it would do was "if user name is like ''
>> then set REALM to be local 'STUDENTI'" but obviously I was wrong...
>   The server documentation describes how it works.  Follow the
> documentation to configure it.
But what should I do? In other words, *which* doc should I follow? How
is the needed feature named?

>   I'm not sure you can change the domain for PEAP with ntlm_auth.  The
> domain is *also* in the MS-CHAP data.  So changing it in the arguments
> to ntlm_auth will likely not work.
I *think* it works by omitting the domain from checks, just like when
considering NT domain...

>> If I authenticate using user at PERSONALE it works perfectly. What am I
>> missing?
>   It doesn't work the way you think it works.  It works the way it's
> documented to work.
I know. But I couldn't find the doc to read...

>> (*) Just 'most' users since I couldn't yet find a way to use the UPN, so
>> users whose UPN have been changed must login with their 'base' name.
>> Don't think there's an easy fix for this, since even joined win machines
>> *sometimes* refuse the changed UPN...
>   Have the users change their login domain.
Those "pathologic" cases have to change. But it's usually much better to
let 99% of the users authenticate in the same way on all the services...


More information about the Freeradius-Users mailing list