[Samba] Authenticating users via samba to an active directory

Alex Sharaz A.Sharaz at hull.ac.uk
Mon Feb 27 16:25:49 GMT 2006 

Chaps, 
Got a small problem here that I could do with some help with.

I am looking at implementing 802.1X wired based network authentication
here and am using a RADIUS server called Radiator as the primary
authentication mechanism. Radiator has an authentication module that'll
allow  user auth to an active directory via components of the samba
suite. The requirement is that the host samba server be a member of the
active directory. 
And the config mechanism uses 
"/usr/bin/ntlm_auth  --helper-protocol=ntlm-server-1"

The smb.conf file being used is

[global]
   workgroup = 
   security = domain
   password server = p.q.r.s
   realm = ADIR.HULL.AC.UK
   preferred master = no
   server string = Hull Comms support server
   security = ADS
   use spnego = yes
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   winbind separator = +
   idmap uid = 10000-20000
   idmap gid = 10000-20000 
   bind interfaces only =yes
   interfaces =a.b.c.d 127.0.0.1
   client NTLMv2 auth=yes

and with this I can use "ntlm_auth --username=xxxx
--domain=adir.hull.ac.uk 
--password=fred", or "ntlm_auth --username=xxx --password=fred

At an 802.1X supplicant I can now authenticate via Radiator/Samba/AD by
specifying a userid, password (I'm using eap-ttls and an inner auth type
of MSCHAPV2)

However, what I'd like to do is have the user authenticate using a
domain of hull.ac.uk. At this point things do not work.

If I use the above example "ntlm_auth --username=xxxx --domain=
hull.ac.uk --password=fred" what I get is an NT_STATUS_NO_SUCH_USER: No
such user (0xc0000064) message.

>From our Desktop services team here is a description of what we do
there.

"In an Active Directory tree, the names of both a child domain and the
root domain are available as default UPN suffixes.

To simplify logon, we use the root domain names the primary UPN suffix,
that is, hull.ac.uk. Any user can also log on as
username at adir.hull.ac.uk

For security purposes, we could make any number of other UPN suffixes,
for example hull.internal

UPN suffixes other than the current domain  name are generally linked
with a user at the time of account creation

We need to know how to logon with the root domain as the UPN suffix
rather than the child name"


Any help appreciated
Alex

More information about the samba mailing list