[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN

Andrew Bartlett abartlet at samba.org
Thu Nov 14 00:00:26 UTC 2019

On Wed, 2019-11-13 at 22:21 +0000, Steve Bluck via samba wrote:
> FreeRAIDUS is checking for a username in the format of
> [user]@[internet domain] for Eduroam (World wide WiFi network, mostly
> used by Education), if it is not a locally defined Internet domain it
> then refers the RADIUS request to a higher level RADIUS server.
> However if it's our defined domain e.g. EXAMPLE.COM it will check
> with our AD server.
> Normally the sAMAccountName & AD domain pair is the same as the UPN,
> which is a user @ Internet Domain (some sites reference this as the
> email address but this is not technically correct).
> The problem we have is our AD domain was set up years ago and
> followed then best practise of not using a public domain internally,
> so the domain name is EXAMPLE.CAMPUS while the UPN domain is
> EXAMPLE.COM (UPN has been set this way for Office 365 & Skype for
> Business to work).
> Samba / ntml_auth queries AD based on the sAMAccountName & AD domain
> pair but what FreeRADIUS is receiving is the UPN.

(trying again, CC to list and correct info)

Try ntlm_auth --request-nt-key --domain='' 

eg if the UPN is [user]@[internet domain] and that is what eduroam
wants then it should work.  Samba can check against the UPN as long as
the domain is ''.

It works best in the most recent versions, we do occasionally do fixes
for this.

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba mailing list