force/require @domain/part

Alan DeKok aland at
Wed Jun 22 14:43:11 CEST 2016

On Jun 22, 2016, at 5:12 AM, lejeczek via Freeradius-Users <freeradius-users at> wrote:
> Alan, when I try what you shared earlier it works, almost perfect, probably because my (unusual?) setup it fails in one place.
> Here is what I'm hoping to achieve - local domain (freeipa's ldap) and samba being a client to an AD (all same one box)
> Radius' a) ldap backend, b) ntlm/winbind backend to AD

  That works.  Other people use it.

> Now radius authentication fails like I wanted, if auth request does not include @realm. Config (default) goes like this:
> authorize
> ..
>  ntlm_auth
>  if (&User-Name !~ /$/i) {
>     reject
>   }

  That's sort of OK.  But you should put the username check *before* the ntlm_auth line.  That way if the User-Name is wrong, then ntlm_auth won't even be run.

> It fails now for users like "me" which do exist in ldap (again, all local, locally freeipa ldap). I see ldap is being tried but then radius moves over to ntlm and fails.
> Care to share more thoughts - I'll be grateful.

  What is *supposed* to happen?  Do you know?

  i.e. have you written down what's supposed to happen in plain English?  No?  Then don't expect to be able to configure FreeRADIUS correctly.

  Write down what needs to happen.  Be detailed.  Then, implement it unlang.

  If you're not sure what to do, ask here.  But ask questions with *content*.  Saying "I need freeipa LDAP and AD" is pretty much content free.  WHAT users use freeipa?  What users use AD?  How are those User-Names different?

  Alan DeKok.

More information about the Freeradius-Users mailing list