samba - Nov 2019 - FreeRADIUS & SAMBA when Active Directory domain is not a FQDN

Hi Rowland,
Apologies for the tardy reply, I mistakenly set the mailing list to digest...
Thanks for the suggestion, I'll ask the AD guys about this but I have a
feeling it is an unlikely solution as Office 365 & Skype for Business
apparently relies on the UPN. Unfortunately the local domain is a result of
following Microsoft's "Best Practice" in the early 2000's
which has since changed.
Since I posted this I've found some suggestions around doing a LDAP lookup
first and pass the results to ntlm_auth so shall do some investigation on that.
Cheers
Steve


________________________________
From: Rowland penny <rpenny at samba.org>
Sent: Wednesday, 13 November 2019 11:10 AM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] FreeRADIUS & SAMBA when Active Directory domain is not
a FQDN

On 12/11/2019 21:17, Steve Bluck via samba wrote:
> OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1;
>
>
>
> I'm building a FreeRADIUS box for Eduroam authentication for both SP
& IDP, and have hit a stumbling block I can?t figure or Google my way out
of.
>
>
>
> The issue is the local AD domain is along the lines of ?example.campus?,
but users have a UPN of ?user at example.com? which was added for Skype for
Business as prior the UPN was ?user at example.campus?.
I am not a freeradius expert, but how about this, change the UPN back to
what it should be 'user at example.campus' and then add a SPN for
'user at example.com'

Rowland

Can you clarify again what the UPN is vs what the users enter via
FreeRADIUS as their 'username'?

I'm a bit lost.  

Andrew Bartlett

On Wed, 2019-11-13 at 20:07 +0000, Steve Bluck via samba
wrote:
> Hi Rowland,
> Apologies for the tardy reply, I mistakenly set the mailing list to
> digest...
> Thanks for the suggestion, I'll ask the AD guys about this but I have
> a feeling it is an unlikely solution as Office 365 & Skype for
> Business apparently relies on the UPN. Unfortunately the local domain
> is a result of following Microsoft's "Best Practice" in the
early
> 2000's which has since changed.
> Since I posted this I've found some suggestions around doing a LDAP
> lookup first and pass the results to ntlm_auth so shall do some
> investigation on that.
> Cheers
> Steve
> 
> 
> ________________________________
> From: Rowland penny <rpenny at samba.org>
> Sent: Wednesday, 13 November 2019 11:10 AM
> To: samba at lists.samba.org <samba at lists.samba.org>
> Subject: Re: [Samba] FreeRADIUS & SAMBA when Active Directory domain
> is not a FQDN
> 
> On 12/11/2019 21:17, Steve Bluck via samba wrote:
> > OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1;
> > 
> > 
> > 
> > I'm building a FreeRADIUS box for Eduroam authentication for both
> > SP & IDP, and have hit a stumbling block I can?t figure or Google
> > my way out of.
> > 
> > 
> > 
> > The issue is the local AD domain is along the lines of
> > ?example.campus?, but users have a UPN of ?user at example.com? which
> > was added for Skype for Business as prior the UPN was ?
> > user at example.campus?.
> 
> I am not a freeradius expert, but how about this, change the UPN back
> to
> what it should be 'user at example.campus' and then add a SPN for
> 'user at example.com'
> 
> Rowland
> 
> 
> 
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

FreeRAIDUS is checking for a username in the format of [user]@[internet domain]
for Eduroam (World wide WiFi network, mostly used by Education), if it is not a
locally defined Internet domain it then refers the RADIUS request to a higher
level RADIUS server. However if it's our defined domain e.g. EXAMPLE.COM it
will check with our AD server.
Normally the sAMAccountName & AD domain pair is the same as the UPN, which
is a user @ Internet Domain (some sites reference this as the email address but
this is not technically correct).
The problem we have is our AD domain was set up years ago and followed then best
practise of not using a public domain internally, so the domain name is
EXAMPLE.CAMPUS while the UPN domain is EXAMPLE.COM (UPN has been set this way
for Office 365 & Skype for Business to work).
Samba / ntml_auth queries AD based on the sAMAccountName & AD domain pair
but what FreeRADIUS is receiving is the UPN.
E.g. querying AD with a user & local domain pair works TEST-USER at
EXAMPLE.CAMPUS:
# ntlm_auth --request-nt-key --domain=EXAMPLE.CAMPUS --username=TEST-USER
--password=******
NT_STATUS_OK: The operation completed successfully. (0x0)
Querying AD with AD Realm (NETBIOS) works e.g. TEST-USER at EXAMPLE:
# ntlm_auth --request-nt-key --domain=EXAMPLE --username=TEST-USER
--password=******
NT_STATUS_OK: The operation completed successfully. (0x0)
But querying based on UPN fails e.g. TEST-USER at EXAMPLE.COM:
# ntlm_auth --request-nt-key --domain=EXAMPLE.COM --username=TEST-USER
--password=******
NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)
I'm still getting my head around it myself so may have used terms in the
wrong context e.g. REALM

TLDR; SAMBA is querying AD based on sAMAccountName but is receiving UPN from
user so can't find the user.

Cheers
Steve

________________________________
From: Andrew Bartlett <abartlet at samba.org>
Sent: Thursday, 14 November 2019 10:41 AM
To: Steve Bluck <sbluck at hotmail.com>; samba at lists.samba.org
<samba at lists.samba.org>
Subject: Re: [Samba] FreeRADIUS & SAMBA when Active Directory domain is not
a FQDN

Can you clarify again what the UPN is vs what the users enter via
FreeRADIUS as their 'username'?

I'm a bit lost.

Andrew Bartlett

On Wed, 2019-11-13 at 22:21 +0000, Steve Bluck via samba
wrote:
> FreeRAIDUS is checking for a username in the format of
> [user]@[internet domain] for Eduroam (World wide WiFi network, mostly
> used by Education), if it is not a locally defined Internet domain it
> then refers the RADIUS request to a higher level RADIUS server.
> However if it's our defined domain e.g. EXAMPLE.COM it will check
> with our AD server.
> Normally the sAMAccountName & AD domain pair is the same as the UPN,
> which is a user @ Internet Domain (some sites reference this as the
> email address but this is not technically correct).
> The problem we have is our AD domain was set up years ago and
> followed then best practise of not using a public domain internally,
> so the domain name is EXAMPLE.CAMPUS while the UPN domain is
> EXAMPLE.COM (UPN has been set this way for Office 365 & Skype for
> Business to work).
> Samba / ntml_auth queries AD based on the sAMAccountName & AD domain
> pair but what FreeRADIUS is receiving is the UPN.
(trying again, CC to list and correct info)

Try ntlm_auth --request-nt-key --domain='' 
--username=TEST-USER at EXAMPLE.COM

eg if the UPN is [user]@[internet domain] and that is what eduroam
wants then it should work.  Samba can check against the UPN as long as
the domain is ''.

It works best in the most recent versions, we do occasionally do fixes
for this.

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba