From: Adam on
I posted a similar message on the freeradius list a few months ago and it
was suggested I come here. Now that this effort is once again underway I am
looking for some assistance.

We are trying to replace our existing AAA solution with FreeRadius. The
user base is contained in an Active Directory single forest-multi domain
model.

The only feature of samba that we need to leverage is the ntlm_auth.

All users login via their UPN (user(a)company.net) regardless of which child
domain they are in.

Can samba (specifically ntlm_auth) be configured to authenticate users
against an AD Forest (multi-domain) using universal principal name (UPN) and
if so...how?

Everything "appears" configured correctly. In fact authentication using the
"exec ntlm_auth" configuration works if the username and domain are
specified for each of the child domains. Once we tried to use the UPN
(without domain name) it does not.

Currently the samba server is a member of one of the child domains. The
REALM in smb.conf is set to this child domain (DEPT1.COMPANY.NET)

Going back to the command line for ntlm_auth tests resulted in the
following.

Using a user account found in DEPT1.COMPANY.NET child domain

ntlm_auth --username=user1 WORKS
ntlm_auth --username=user1 --domain=DEPT1 WORKS
ntlm_auth --username=user1(a)company.net DOES NOT WORK

Using a user account found in DEPT2.COMPANY.NET child domain

ntlm_auth --username=user2 DOES NOT WORK
ntlm_auth --username=user2 --domain=DEPT2 WORKS
ntlm_auth --username=user2(a)company.net DOES NOT WORK

The error received is

NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)

Hopefully this is enough information, if not please let me know.

Adam







--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba