Kerberos realm vs NT domain

Alan DeKok aland at deployingradius.com
Thu Jan 17 15:07:30 CET 2019


On Jan 17, 2019, at 4:26 AM, WAGHORN, Jason (NHS BORDERS) via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> Hello all, apologies for this - I'm having an issue where I have a single Kerberos realm (published as the RADIUS realm) but multiple AD containers behind that, within which the users sit. The RADIUS/Kerberos server is joined to the domain and authentication via ntlm_auth works for both containers (if one specifies the container explicitly)

  AD doesn't handle multiple domains very well.

  i.e. if all of the domains are in the AD forest, it's OK.  If you need to use different AD forests for different domains, it's hard.

> # ntlm_auth --username=testusera --domain=a.example.com
> Password:
> NT_STATUS_OK: The operation completed successfully. (0x0)
> # ntlm_auth --username=testuserb --domain=b.example.com
> Password:
> NT_STATUS_OK: The operation completed successfully. (0x0)
> #
> 
> So: Kerberos/RADIUS realm = example.com; users are in containers a.example.com & b.example.com
> 
> Can I use the krb5.conf to handle the users as "user at example.com" and automatically have it try both containers (i.e. a.example.com & b.example.com)?

  The "krb5" module in the server just connects to a kerberos server.  It doesn't really know about domains.

  If you need to connect to 2 different kerberos servers, configure two krb5 modules.  Then, select one or the other based on the domain.

> I'm surmising that I need to do this in the realms and/or domain_realm sections - but the documentation isn't making a whole lot of sense to me at this stage (could be related to a caffeine deficit)

  TBH, I'm not clear what you want.

  Why not just use ntlm_auth if that works?

  Alan DeKok.




More information about the Freeradius-Users mailing list