[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
sbluck at hotmail.com
Wed Nov 13 20:07:25 UTC 2019
Apologies for the tardy reply, I mistakenly set the mailing list to digest...
Thanks for the suggestion, I'll ask the AD guys about this but I have a feeling it is an unlikely solution as Office 365 & Skype for Business apparently relies on the UPN. Unfortunately the local domain is a result of following Microsoft's "Best Practice" in the early 2000's which has since changed.
Since I posted this I've found some suggestions around doing a LDAP lookup first and pass the results to ntlm_auth so shall do some investigation on that.
From: Rowland penny <rpenny at samba.org>
Sent: Wednesday, 13 November 2019 11:10 AM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN
On 12/11/2019 21:17, Steve Bluck via samba wrote:
> OS is Centos 7; FreeRADIUS Version 3.0.13; Samba version 4.9.1;
> I'm building a FreeRADIUS box for Eduroam authentication for both SP & IDP, and have hit a stumbling block I can’t figure or Google my way out of.
> The issue is the local AD domain is along the lines of ‘example.campus’, but users have a UPN of ‘user at example.com’ which was added for Skype for Business as prior the UPN was ‘user at example.campus’.
I am not a freeradius expert, but how about this, change the UPN back to
what it should be 'user at example.campus' and then add a SPN for
'user at example.com'
More information about the samba