Steve Bluck
2019-Nov-12 21:17 UTC
[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1; I'm building a FreeRADIUS box for Eduroam authentication for both SP & IDP, and have hit a stumbling block I can?t figure or Google my way out of. The issue is the local AD domain is along the lines of ?example.campus?, but users have a UPN of ?user at example.com? which was added for Skype for Business as prior the UPN was ?user at example.campus?.>From the CLI I can check AD connectivity e.g.# net ads info LDAP server: 172.23.0.1 LDAP server name: DC01.EXAMPLE.CAMPUS Realm: EXAMPLE.CAMPUS Bind Path: dc=EXAMPLE,dc=CAMPUS LDAP port: 389 Server time: Thu, 07 Nov 2019 14:50:04 NZDT KDC server: 172.23.0.1 Server time offset: 0 Last machine account password change: Thu, 07 Nov 2019 13:31:09 NZDT # wbinfo --ping-dc checking the NETLOGON for domain[EXAMPLE] dc connection to "DC01.EXAMPLE.CAMPUS" succeeded # getent passwd EXAMPLE\\[Domain user] EXAMPLE\[Domain user]:*:37180:10513::/home/[Domain user]:/bin/bash # getent group "EXAMPLE\\Block Internet Access" EXAMPLE\block internet access:x:11646: # wbinfo -a [Domain user]%[password] plaintext password authentication failed Could not authenticate user [Domain user]% [password] with plaintext password challenge/response password authentication succeeded # ntlm_auth --request-nt-key --domain=EXAMPLE --username=[Domain user] Password: NT_STATUS_OK: The operation completed successfully. (0x0) When I run FreeRADIUS in debug, AD returns error code 0xC0000064 which translates to ?username does not exist? for the UPN I don?t think this is an inter-domain trust as it is a single domain in the AD forest, & it appears that the authentication is done on the sAMAccountName? Is there a way to set SAMBA up to check the UPN rather than the sAMAccountName? Cheers Steve
Rowland penny
2019-Nov-12 22:10 UTC
[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
On 12/11/2019 21:17, Steve Bluck via samba wrote:> OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1; > > > > I'm building a FreeRADIUS box for Eduroam authentication for both SP & IDP, and have hit a stumbling block I can?t figure or Google my way out of. > > > > The issue is the local AD domain is along the lines of ?example.campus?, but users have a UPN of ?user at example.com? which was added for Skype for Business as prior the UPN was ?user at example.campus?.I am not a freeradius expert, but how about this, change the UPN back to what it should be 'user at example.campus' and then add a SPN for 'user at example.com' Rowland
Steve Bluck
2019-Nov-13 20:07 UTC
[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
Hi Rowland, Apologies for the tardy reply, I mistakenly set the mailing list to digest... Thanks for the suggestion, I'll ask the AD guys about this but I have a feeling it is an unlikely solution as Office 365 & Skype for Business apparently relies on the UPN. Unfortunately the local domain is a result of following Microsoft's "Best Practice" in the early 2000's which has since changed. Since I posted this I've found some suggestions around doing a LDAP lookup first and pass the results to ntlm_auth so shall do some investigation on that. Cheers Steve ________________________________ From: Rowland penny <rpenny at samba.org> Sent: Wednesday, 13 November 2019 11:10 AM To: samba at lists.samba.org <samba at lists.samba.org> Subject: Re: [Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN On 12/11/2019 21:17, Steve Bluck via samba wrote:> OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1; > > > > I'm building a FreeRADIUS box for Eduroam authentication for both SP & IDP, and have hit a stumbling block I can?t figure or Google my way out of. > > > > The issue is the local AD domain is along the lines of ?example.campus?, but users have a UPN of ?user at example.com? which was added for Skype for Business as prior the UPN was ?user at example.campus?.I am not a freeradius expert, but how about this, change the UPN back to what it should be 'user at example.campus' and then add a SPN for 'user at example.com' Rowland
Reasonably Related Threads
- FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
- FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
- FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
- FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
- [EXTERNAL] Fwd: ntlm_auth and freeradius