infamous AD integration
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Thu Jun 16 09:10:21 CEST 2016
Hi,
> What I'm hoping to have might be a bit nonstandard(?) - it might be
> that I don't need that, that I don't need full domain name.
so ensure your realm is being handled
> (2) suffix : Looking up realm "my.domain.local" for User-Name =
> "pe243 at my.domain.local"
> (2) suffix : No such realm "my.domain.local"
add
realm my.domain.local {
strip
}
to proxy.conf
now, when suffix runs, it will see your realm, know to deal with it locally
but also populate p243 as Stripped-User-Name which then means that:
> (2) mschap : Client is using MS-CHAPv1 with NT-Password
> Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (2) mschap : EXPAND
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (2) mschap : --> --username=pe243 at my.domain.local
--username will now be the right value with no realm
if, however, you do need to use the realm then you need to ensure that, on command line,
ntlm_auth works with the realm - usually done by adding the realm as a UPN in AD
alan
More information about the Freeradius-Users
mailing list