infamous AD integration

A.L.M.Buxey at A.L.M.Buxey at
Thu Jun 16 09:10:21 CEST 2016


> What I'm hoping to have might be a bit nonstandard(?) - it might be
> that I don't need that, that I don't need full domain name.

so ensure your realm is being handled

> (2)  suffix : Looking up realm "my.domain.local" for User-Name =
> "pe243 at my.domain.local"
> (2)  suffix : No such realm "my.domain.local"


realm my.domain.local {

to proxy.conf

now, when suffix runs, it will see your realm, know to deal with it locally
but also populate p243 as Stripped-User-Name which then means that:

> (2)  mschap : Client is using MS-CHAPv1 with NT-Password
> Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (2)  mschap : EXPAND
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (2)  mschap :    --> --username=pe243 at my.domain.local

--username will now be the right value with no realm

if, however, you do need to use the realm then you need to ensure that, on command line,
ntlm_auth works with the realm - usually done by adding the realm as a UPN in AD


More information about the Freeradius-Users mailing list