Hi, Thanks for the response.
Unfortunately, these particular users don't have realms in their usernames, so I think I will still need to go with multiple mschap modules, like Alan suggested. I just confirmed that there is a two way trust, so I think I should be able to figure it out from here! Thanks again, Dave A. On 2012-07-16, at 11:23 AM, Francois Gaudreault wrote: Hi David, If your domains have trust configured (which I hope), use REALMS (proxy.conf). Add the --domain %{Realm} to your ntlm_auth line, and you should be OK. If you domains doesn't have a trust, then you are in trouble. You can only join the server to 1 domain, so ntlm_auth will always fail for one of the two domain. Hope it helps! On 12-07-16 11:12 AM, David Aldwinckle wrote: > Hello, > > I currently use PEAP and the mschap module to call ntlm_auth and authenticate > against Active Directory. The FreeRadius server is currently joined to > domain1. > > It may come about in the near future that I need to query two different > domains before failing a request. Unlang says I can do this: > > redundant { > mschap.domain1 > mschap.domain2 > } > > Where mschap.domain{1,2} are copies of the stock mschap module, with the new > domain plugged in. > > Will this work? Do I need to change the Samba configuration? > > In a quick test, with the server in domain1, I ran ntlm_auth and specified > domain2, which failed to authenticate the user. > > Thanks, > Dave A. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html