[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN

Steve Bluck sbluck at hotmail.com
Tue Nov 12 21:17:48 UTC 2019

OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1;

I'm building a FreeRADIUS box for Eduroam authentication for both SP & IDP, and have hit a stumbling block I can’t figure or Google my way out of.

The issue is the local AD domain is along the lines of ‘example.campus’, but users have a UPN of ‘user at example.com’ which was added for Skype for Business as prior the UPN was ‘user at example.campus’.

>From the CLI I can check AD connectivity e.g.

# net ads info

LDAP server:



Bind Path: dc=EXAMPLE,dc=CAMPUS

LDAP port: 389

Server time: Thu, 07 Nov 2019 14:50:04 NZDT

KDC server:

Server time offset: 0

Last machine account password change: Thu, 07 Nov 2019 13:31:09 NZDT

# wbinfo --ping-dc

checking the NETLOGON for domain[EXAMPLE] dc connection to "DC01.EXAMPLE.CAMPUS" succeeded

# getent passwd EXAMPLE\\[Domain user]

EXAMPLE\[Domain user]:*:37180:10513::/home/[Domain user]:/bin/bash

# getent group "EXAMPLE\\Block Internet Access"

EXAMPLE\block internet access:x:11646:

# wbinfo -a [Domain user]%[password]

plaintext password authentication failed

Could not authenticate user [Domain user]% [password] with plaintext password

challenge/response password authentication succeeded

# ntlm_auth --request-nt-key --domain=EXAMPLE --username=[Domain user]


NT_STATUS_OK: The operation completed successfully. (0x0)

When I run FreeRADIUS in debug, AD returns error code 0xC0000064 which translates to ‘username does not exist’ for the UPN

I don’t think this is an inter-domain trust as it is a single domain in the AD forest, & it appears that the authentication is done on the sAMAccountName?

Is there a way to set SAMBA up to check the UPN rather than the sAMAccountName?


More information about the samba mailing list