[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
sbluck at hotmail.com
Tue Nov 12 21:17:48 UTC 2019
OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1;
I'm building a FreeRADIUS box for Eduroam authentication for both SP & IDP, and have hit a stumbling block I can’t figure or Google my way out of.
The issue is the local AD domain is along the lines of ‘example.campus’, but users have a UPN of ‘user at example.com’ which was added for Skype for Business as prior the UPN was ‘user at example.campus’.
>From the CLI I can check AD connectivity e.g.
# net ads info
LDAP server: 172.23.0.1
LDAP server name: DC01.EXAMPLE.CAMPUS
Bind Path: dc=EXAMPLE,dc=CAMPUS
LDAP port: 389
Server time: Thu, 07 Nov 2019 14:50:04 NZDT
KDC server: 172.23.0.1
Server time offset: 0
Last machine account password change: Thu, 07 Nov 2019 13:31:09 NZDT
# wbinfo --ping-dc
checking the NETLOGON for domain[EXAMPLE] dc connection to "DC01.EXAMPLE.CAMPUS" succeeded
# getent passwd EXAMPLE\\[Domain user]
EXAMPLE\[Domain user]:*:37180:10513::/home/[Domain user]:/bin/bash
# getent group "EXAMPLE\\Block Internet Access"
EXAMPLE\block internet access:x:11646:
# wbinfo -a [Domain user]%[password]
plaintext password authentication failed
Could not authenticate user [Domain user]% [password] with plaintext password
challenge/response password authentication succeeded
# ntlm_auth --request-nt-key --domain=EXAMPLE --username=[Domain user]
NT_STATUS_OK: The operation completed successfully. (0x0)
When I run FreeRADIUS in debug, AD returns error code 0xC0000064 which translates to ‘username does not exist’ for the UPN
I don’t think this is an inter-domain trust as it is a single domain in the AD forest, & it appears that the authentication is done on the sAMAccountName?
Is there a way to set SAMBA up to check the UPN rather than the sAMAccountName?
More information about the samba