samba - Nov 2019 - FreeRADIUS & SAMBA when Active Directory domain is not a FQDN

OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1;



I'm building a FreeRADIUS box for Eduroam authentication for both SP &
IDP, and have hit a stumbling block I can?t figure or Google my way out of.



The issue is the local AD domain is along the lines of ?example.campus?, but
users have a UPN of ?user at example.com? which was added for Skype for Business
as prior the UPN was ?user at example.campus?.


>From the CLI I can check AD connectivity e.g.
# net ads info

LDAP server: 172.23.0.1

LDAP server name: DC01.EXAMPLE.CAMPUS

Realm: EXAMPLE.CAMPUS

Bind Path: dc=EXAMPLE,dc=CAMPUS

LDAP port: 389

Server time: Thu, 07 Nov 2019 14:50:04 NZDT

KDC server: 172.23.0.1

Server time offset: 0

Last machine account password change: Thu, 07 Nov 2019 13:31:09 NZDT



# wbinfo --ping-dc

checking the NETLOGON for domain[EXAMPLE] dc connection to
"DC01.EXAMPLE.CAMPUS" succeeded



# getent passwd EXAMPLE\\[Domain user]

EXAMPLE\[Domain user]:*:37180:10513::/home/[Domain user]:/bin/bash



# getent group "EXAMPLE\\Block Internet Access"

EXAMPLE\block internet access:x:11646:



# wbinfo -a [Domain user]%[password]

plaintext password authentication failed

Could not authenticate user [Domain user]% [password] with plaintext password

challenge/response password authentication succeeded



# ntlm_auth --request-nt-key --domain=EXAMPLE --username=[Domain user]

Password:

NT_STATUS_OK: The operation completed successfully. (0x0)



When I run FreeRADIUS in debug, AD returns error code 0xC0000064 which
translates to ?username does not exist? for the UPN


I don?t think this is an inter-domain trust as it is a single domain in the AD
forest, & it appears that the authentication is done on the sAMAccountName?


Is there a way to set SAMBA up to check the UPN rather than the sAMAccountName?

Cheers
Steve

On 12/11/2019 21:17, Steve Bluck via samba wrote:
> OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1;
>
>
>
> I'm building a FreeRADIUS box for Eduroam authentication for both SP
& IDP, and have hit a stumbling block I can?t figure or Google my way out
of.
>
>
>
> The issue is the local AD domain is along the lines of ?example.campus?,
but users have a UPN of ?user at example.com? which was added for Skype for
Business as prior the UPN was ?user at example.campus?.
I am not a freeradius expert, but how about this, change the UPN back to 
what it should be 'user at example.campus' and then add a SPN for 
'user at example.com'

Rowland

Hi Rowland,
Apologies for the tardy reply, I mistakenly set the mailing list to digest...
Thanks for the suggestion, I'll ask the AD guys about this but I have a
feeling it is an unlikely solution as Office 365 & Skype for Business
apparently relies on the UPN. Unfortunately the local domain is a result of
following Microsoft's "Best Practice" in the early 2000's
which has since changed.
Since I posted this I've found some suggestions around doing a LDAP lookup
first and pass the results to ntlm_auth so shall do some investigation on that.
Cheers
Steve


________________________________
From: Rowland penny <rpenny at samba.org>
Sent: Wednesday, 13 November 2019 11:10 AM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] FreeRADIUS & SAMBA when Active Directory domain is not
a FQDN

On 12/11/2019 21:17, Steve Bluck via samba wrote:
> OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1;
>
>
>
> I'm building a FreeRADIUS box for Eduroam authentication for both SP
& IDP, and have hit a stumbling block I can?t figure or Google my way out
of.
>
>
>
> The issue is the local AD domain is along the lines of ?example.campus?,
but users have a UPN of ?user at example.com? which was added for Skype for
Business as prior the UPN was ?user at example.campus?.
I am not a freeradius expert, but how about this, change the UPN back to
what it should be 'user at example.campus' and then add a SPN for
'user at example.com'

Rowland