Steve Bluck
2019-Nov-13 20:07 UTC
[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
Hi Rowland, Apologies for the tardy reply, I mistakenly set the mailing list to digest... Thanks for the suggestion, I'll ask the AD guys about this but I have a feeling it is an unlikely solution as Office 365 & Skype for Business apparently relies on the UPN. Unfortunately the local domain is a result of following Microsoft's "Best Practice" in the early 2000's which has since changed. Since I posted this I've found some suggestions around doing a LDAP lookup first and pass the results to ntlm_auth so shall do some investigation on that. Cheers Steve ________________________________ From: Rowland penny <rpenny at samba.org> Sent: Wednesday, 13 November 2019 11:10 AM To: samba at lists.samba.org <samba at lists.samba.org> Subject: Re: [Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN On 12/11/2019 21:17, Steve Bluck via samba wrote:> OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1; > > > > I'm building a FreeRADIUS box for Eduroam authentication for both SP & IDP, and have hit a stumbling block I can?t figure or Google my way out of. > > > > The issue is the local AD domain is along the lines of ?example.campus?, but users have a UPN of ?user at example.com? which was added for Skype for Business as prior the UPN was ?user at example.campus?.I am not a freeradius expert, but how about this, change the UPN back to what it should be 'user at example.campus' and then add a SPN for 'user at example.com' Rowland
Andrew Bartlett
2019-Nov-13 21:41 UTC
[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
Can you clarify again what the UPN is vs what the users enter via FreeRADIUS as their 'username'? I'm a bit lost. Andrew Bartlett On Wed, 2019-11-13 at 20:07 +0000, Steve Bluck via samba wrote:> Hi Rowland, > Apologies for the tardy reply, I mistakenly set the mailing list to > digest... > Thanks for the suggestion, I'll ask the AD guys about this but I have > a feeling it is an unlikely solution as Office 365 & Skype for > Business apparently relies on the UPN. Unfortunately the local domain > is a result of following Microsoft's "Best Practice" in the early > 2000's which has since changed. > Since I posted this I've found some suggestions around doing a LDAP > lookup first and pass the results to ntlm_auth so shall do some > investigation on that. > Cheers > Steve > > > ________________________________ > From: Rowland penny <rpenny at samba.org> > Sent: Wednesday, 13 November 2019 11:10 AM > To: samba at lists.samba.org <samba at lists.samba.org> > Subject: Re: [Samba] FreeRADIUS & SAMBA when Active Directory domain > is not a FQDN > > On 12/11/2019 21:17, Steve Bluck via samba wrote: > > OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1; > > > > > > > > I'm building a FreeRADIUS box for Eduroam authentication for both > > SP & IDP, and have hit a stumbling block I can?t figure or Google > > my way out of. > > > > > > > > The issue is the local AD domain is along the lines of > > ?example.campus?, but users have a UPN of ?user at example.com? which > > was added for Skype for Business as prior the UPN was ? > > user at example.campus?. > > I am not a freeradius expert, but how about this, change the UPN back > to > what it should be 'user at example.campus' and then add a SPN for > 'user at example.com' > > Rowland > > >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Steve Bluck
2019-Nov-13 22:21 UTC
[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
FreeRAIDUS is checking for a username in the format of [user]@[internet domain] for Eduroam (World wide WiFi network, mostly used by Education), if it is not a locally defined Internet domain it then refers the RADIUS request to a higher level RADIUS server. However if it's our defined domain e.g. EXAMPLE.COM it will check with our AD server. Normally the sAMAccountName & AD domain pair is the same as the UPN, which is a user @ Internet Domain (some sites reference this as the email address but this is not technically correct). The problem we have is our AD domain was set up years ago and followed then best practise of not using a public domain internally, so the domain name is EXAMPLE.CAMPUS while the UPN domain is EXAMPLE.COM (UPN has been set this way for Office 365 & Skype for Business to work). Samba / ntml_auth queries AD based on the sAMAccountName & AD domain pair but what FreeRADIUS is receiving is the UPN. E.g. querying AD with a user & local domain pair works TEST-USER at EXAMPLE.CAMPUS: # ntlm_auth --request-nt-key --domain=EXAMPLE.CAMPUS --username=TEST-USER --password=****** NT_STATUS_OK: The operation completed successfully. (0x0) Querying AD with AD Realm (NETBIOS) works e.g. TEST-USER at EXAMPLE: # ntlm_auth --request-nt-key --domain=EXAMPLE --username=TEST-USER --password=****** NT_STATUS_OK: The operation completed successfully. (0x0) But querying based on UPN fails e.g. TEST-USER at EXAMPLE.COM: # ntlm_auth --request-nt-key --domain=EXAMPLE.COM --username=TEST-USER --password=****** NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064) I'm still getting my head around it myself so may have used terms in the wrong context e.g. REALM TLDR; SAMBA is querying AD based on sAMAccountName but is receiving UPN from user so can't find the user. Cheers Steve ________________________________ From: Andrew Bartlett <abartlet at samba.org> Sent: Thursday, 14 November 2019 10:41 AM To: Steve Bluck <sbluck at hotmail.com>; samba at lists.samba.org <samba at lists.samba.org> Subject: Re: [Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN Can you clarify again what the UPN is vs what the users enter via FreeRADIUS as their 'username'? I'm a bit lost. Andrew Bartlett
Andrew Bartlett
2019-Nov-14 00:00 UTC
[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
On Wed, 2019-11-13 at 22:21 +0000, Steve Bluck via samba wrote:> FreeRAIDUS is checking for a username in the format of > [user]@[internet domain] for Eduroam (World wide WiFi network, mostly > used by Education), if it is not a locally defined Internet domain it > then refers the RADIUS request to a higher level RADIUS server. > However if it's our defined domain e.g. EXAMPLE.COM it will check > with our AD server. > Normally the sAMAccountName & AD domain pair is the same as the UPN, > which is a user @ Internet Domain (some sites reference this as the > email address but this is not technically correct). > The problem we have is our AD domain was set up years ago and > followed then best practise of not using a public domain internally, > so the domain name is EXAMPLE.CAMPUS while the UPN domain is > EXAMPLE.COM (UPN has been set this way for Office 365 & Skype for > Business to work). > Samba / ntml_auth queries AD based on the sAMAccountName & AD domain > pair but what FreeRADIUS is receiving is the UPN.(trying again, CC to list and correct info) Try ntlm_auth --request-nt-key --domain='' --username=TEST-USER at EXAMPLE.COM eg if the UPN is [user]@[internet domain] and that is what eduroam wants then it should work. Samba can check against the UPN as long as the domain is ''. It works best in the most recent versions, we do occasionally do fixes for this. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Possibly Parallel Threads
- FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
- FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
- FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
- FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
- [EXTERNAL] Fwd: ntlm_auth and freeradius