[Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN

Steve Bluck sbluck at hotmail.com
Thu Nov 14 05:22:46 UTC 2019

Thnaks Andrew, I'll try this when I'm back at work tomorrow
From: Andrew Bartlett <abartlet at samba.org>
Sent: Thursday, 14 November 2019 1:00 PM
To: Steve Bluck <sbluck at hotmail.com>; samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] FreeRADIUS & SAMBA when Active Directory domain is not a FQDN

On Wed, 2019-11-13 at 22:21 +0000, Steve Bluck via samba wrote:
> FreeRAIDUS is checking for a username in the format of
> [user]@[internet domain] for Eduroam (World wide WiFi network, mostly
> used by Education), if it is not a locally defined Internet domain it
> then refers the RADIUS request to a higher level RADIUS server.
> However if it's our defined domain e.g. EXAMPLE.COM it will check
> with our AD server.
> Normally the sAMAccountName & AD domain pair is the same as the UPN,
> which is a user @ Internet Domain (some sites reference this as the
> email address but this is not technically correct).
> The problem we have is our AD domain was set up years ago and
> followed then best practise of not using a public domain internally,
> so the domain name is EXAMPLE.CAMPUS while the UPN domain is
> EXAMPLE.COM (UPN has been set this way for Office 365 & Skype for
> Business to work).
> Samba / ntml_auth queries AD based on the sAMAccountName & AD domain
> pair but what FreeRADIUS is receiving is the UPN.

(trying again, CC to list and correct info)

Try ntlm_auth --request-nt-key --domain=''

eg if the UPN is [user]@[internet domain] and that is what eduroam
wants then it should work.  Samba can check against the UPN as long as
the domain is ''.

It works best in the most recent versions, we do occasionally do fixes
for this.

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT

More information about the samba mailing list