Kerberos realm vs NT domain

WAGHORN, Jason (NHS BORDERS) j.waghorn1 at nhs.net
Thu Jan 17 15:56:35 CET 2019 

Hi

Here is what I'm trying to do:

It's for a govroam RADIUS - locally it needs to authenticate against AD. 95% of the users are in one container, 5% in another. Ideal world I'd like 100% of users to be able to authenticate, I'd be delighted to get 95% working and move the other 5% to be in the same container...

RADIUS realm = example.com
AD domains = a.example.com & b.example.com

If I use ntlm_auth from the command line of the RADIUS server and explicitly specify the domain a.example.com then authentication is successful.
If I use ntlm_auth from the command line of the RADIUS server and don't specify the domain a.example.com then authentication is unsuccessful.

If I use a radius client user at example.com and  user is valid in AD domain a.example.com then FR returns

(7) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
(7) mschap: External script failed
(7) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
(7) mschap: ERROR: MS-CHAP2-Response is incorrect

My supposition is that I'm not passing the correct AD domain to authenticate but I cannot fathom where I need to modify the config to make that translation.

Cheers

Jason

Jason Waghorn
Senior Infrastructure Engineer

NHS Borders | IT Services | Huntlyburn Terrace | Borders General Hospital | Melrose | TD6 9BS

  direct: 01896 827 760 |  ext: 27760 | email:j.waghorn1 at nhs.net |j mobile: 0747 100 5116

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+j.waghorn1=nhs.net at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: 17 January 2019 14:08
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Kerberos realm vs NT domain

On Jan 17, 2019, at 4:26 AM, WAGHORN, Jason (NHS BORDERS) via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Hello all, apologies for this - I'm having an issue where I have a
> single Kerberos realm (published as the RADIUS realm) but multiple AD
> containers behind that, within which the users sit. The
> RADIUS/Kerberos server is joined to the domain and authentication via
> ntlm_auth works for both containers (if one specifies the container
> explicitly)

  AD doesn't handle multiple domains very well.

  i.e. if all of the domains are in the AD forest, it's OK.  If you need to use different AD forests for different domains, it's hard.

> # ntlm_auth --username=testusera --domain=a.example.com
> Password:
> NT_STATUS_OK: The operation completed successfully. (0x0) # ntlm_auth
> --username=testuserb --domain=b.example.com
> Password:
> NT_STATUS_OK: The operation completed successfully. (0x0) #
>
> So: Kerberos/RADIUS realm = example.com; users are in containers
> a.example.com & b.example.com
>
> Can I use the krb5.conf to handle the users as "user at example.com" and automatically have it try both containers (i.e. a.example.com & b.example.com)?

  The "krb5" module in the server just connects to a kerberos server.  It doesn't really know about domains.

  If you need to connect to 2 different kerberos servers, configure two krb5 modules.  Then, select one or the other based on the domain.

> I'm surmising that I need to do this in the realms and/or domain_realm
> sections - but the documentation isn't making a whole lot of sense to
> me at this stage (could be related to a caffeine deficit)

  TBH, I'm not clear what you want.

  Why not just use ntlm_auth if that works?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail

More information about the Freeradius-Users mailing list