thr3ads.net - samba - [Samba] Authenticating users via samba to an active directory [Feb 2006]

If this information is useful, please help other people find it:
Share via:

Alex Sharaz

2006-Feb-27 16:26 UTC

[Samba] Authenticating users via samba to an active directory

Chaps, 
Got a small problem here that I could do with some help with.

I am looking at implementing 802.1X wired based network authentication
here and am using a RADIUS server called Radiator as the primary
authentication mechanism. Radiator has an authentication module that'll
allow  user auth to an active directory via components of the samba
suite. The requirement is that the host samba server be a member of the
active directory. 
And the config mechanism uses 
"/usr/bin/ntlm_auth  --helper-protocol=ntlm-server-1"

The smb.conf file being used is

[global]
   workgroup = 
   security = domain
   password server = p.q.r.s
   realm = ADIR.HULL.AC.UK
   preferred master = no
   server string = Hull Comms support server
   security = ADS
   use spnego = yes
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   winbind separator = +
   idmap uid = 10000-20000
   idmap gid = 10000-20000 
   bind interfaces only =yes
   interfaces =a.b.c.d 127.0.0.1
   client NTLMv2 auth=yes

and with this I can use "ntlm_auth --username=xxxx
--domain=adir.hull.ac.uk 
--password=fred", or "ntlm_auth --username=xxx --password=fred

At an 802.1X supplicant I can now authenticate via Radiator/Samba/AD by
specifying a userid, password (I'm using eap-ttls and an inner auth type
of MSCHAPV2)

However, what I'd like to do is have the user authenticate using a
domain of hull.ac.uk. At this point things do not work.

If I use the above example "ntlm_auth --username=xxxx --domainhull.ac.uk
--password=fred" what I get is an NT_STATUS_NO_SUCH_USER: No
such user (0xc0000064) message.
>From our Desktop services team here is a description of what we dothere.

"In an Active Directory tree, the names of both a child domain and the
root domain are available as default UPN suffixes.

To simplify logon, we use the root domain names the primary UPN suffix,
that is, hull.ac.uk. Any user can also log on as
username@adir.hull.ac.uk

For security purposes, we could make any number of other UPN suffixes,
for example hull.internal

UPN suffixes other than the current domain  name are generally linked
with a user at the time of account creation

We need to know how to logon with the root domain as the UPN suffix
rather than the child name"


Any help appreciated
Alex

Maybe Matching Threads

Search for more reasonably related threads

samba - Feb 2006 - Authenticating users via samba to an active directory

[Samba] Authenticating users via samba to an active directory

Maybe Matching Threads

Wisdom of the Ancients