[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN

[Steve Bluck]

OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1;



I'm building a FreeRADIUS box for Eduroam authentication for both SP & IDP, and have hit a stumbling block I can’t figure or Google my way out of.



The issue is the local AD domain is along the lines of ‘example.campus’, but users have a UPN of ‘user at example.com’ which was added for Skype for Business as prior the UPN was ‘user at example.campus’.



>From the CLI I can check AD connectivity e.g.

# net ads info

LDAP server: 172.23.0.1

LDAP server name: DC01.EXAMPLE.CAMPUS

Realm: EXAMPLE.CAMPUS

Bind Path: dc=EXAMPLE,dc=CAMPUS

LDAP port: 389

Server time: Thu, 07 Nov 2019 14:50:04 NZDT

KDC server: 172.23.0.1

Server time offset: 0

Last machine account password change: Thu, 07 Nov 2019 13:31:09 NZDT



# wbinfo --ping-dc

checking the NETLOGON for domain[EXAMPLE] dc connection to "DC01.EXAMPLE.CAMPUS" succeeded



# getent passwd EXAMPLE\\[Domain user]

EXAMPLE\[Domain user]:*:37180:10513::/home/[Domain user]:/bin/bash



# getent group "EXAMPLE\\Block Internet Access"

EXAMPLE\block internet access:x:11646:



# wbinfo -a [Domain user]%[password]

plaintext password authentication failed

Could not authenticate user [Domain user]% [password] with plaintext password

challenge/response password authentication succeeded



# ntlm_auth --request-nt-key --domain=EXAMPLE --username=[Domain user]

Password:

NT_STATUS_OK: The operation completed successfully. (0x0)



When I run FreeRADIUS in debug, AD returns error code 0xC0000064 which translates to ‘username does not exist’ for the UPN


I don’t think this is an inter-domain trust as it is a single domain in the AD forest, & it appears that the authentication is done on the sAMAccountName?


Is there a way to set SAMBA up to check the UPN rather than the sAMAccountName?

Cheers
Steve