Freeradius-Users Digest, Vol 134, Issue 11
Matthew Newton
mcn4 at leicester.ac.uk
Mon Jun 6 23:45:59 CEST 2016
On Mon, Jun 06, 2016 at 09:01:15PM +0000, Shawn Wilson wrote:
> The ntlm_auth command will not authenticate against alternate
> active directory UPN You must use the original active directory
> domain name.
>
> I realize this is not a freeradius problem but a Samba problem.
Actually, sounds like a Microsoft problem to me...
> Still, I was wondering if there was an elegant way to configure
> freeradius to work around this limitation.
>
> For the time being, I did a brutal hack to get it to work:
...
> ntlm_auth = "/usr/local/bin/ntlm_auth_UPN %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{realm} %{%{mschap:Challenge}:-00} %%{mschap:NT-Response}:-00}"
...
> exec /usr/bin/ntlm_auth --request-nt-key --username=${USERNAME} --domain=${DOMAIN} --challenge=${CHALLENGE} --nt-response=${NT_RESPONSE}
This means you're execing two processes each time. ntlm_auth
doesn't scale well, and this won't help.
Just update a local attribute (e.g. Tmp-String-1) in unlang (e.g.
switch) with the required data and pass that through to ntlm_auth.
Or use recent FreeRADIUS+Samba and use winbind_username /
winbind_domain instead to skip ntlm_auth altogether.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list