Adam
2009-Oct-09 14:16 UTC
[Samba] ntlm_auth, universal principal name, multi-domain active directory - can samba authenticate?
I posted a similar message on the freeradius list a few months ago and it was suggested I come here. Now that this effort is once again underway I am looking for some assistance. We are trying to replace our existing AAA solution with FreeRadius. The user base is contained in an Active Directory single forest-multi domain model. The only feature of samba that we need to leverage is the ntlm_auth. All users login via their UPN (user at company.net) regardless of which child domain they are in. Can samba (specifically ntlm_auth) be configured to authenticate users against an AD Forest (multi-domain) using universal principal name (UPN) and if so...how? Everything "appears" configured correctly. In fact authentication using the "exec ntlm_auth" configuration works if the username and domain are specified for each of the child domains. Once we tried to use the UPN (without domain name) it does not. Currently the samba server is a member of one of the child domains. The REALM in smb.conf is set to this child domain (DEPT1.COMPANY.NET) Going back to the command line for ntlm_auth tests resulted in the following. Using a user account found in DEPT1.COMPANY.NET child domain ntlm_auth --username=user1 WORKS ntlm_auth --username=user1 --domain=DEPT1 WORKS ntlm_auth --username=user1 at company.net DOES NOT WORK Using a user account found in DEPT2.COMPANY.NET child domain ntlm_auth --username=user2 DOES NOT WORK ntlm_auth --username=user2 --domain=DEPT2 WORKS ntlm_auth --username=user2 at company.net DOES NOT WORK The error received is NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) Hopefully this is enough information, if not please let me know. Adam
Apparently Analagous Threads
- FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
- FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
- Fwd: ntlm_auth and freeradius
- [EXTERNAL] Fwd: ntlm_auth and freeradius
- FreeRADIUS & SAMBA when Active Directory domain is not a FQDN