Active Directory authentication should use the Global Catalog
I have 5 sub-domains in my forest. Only accounts at the forest root can log in without having to type in their domain.
If the Smoothie were able to make it's LDAP queries to the Global Catalog, no one, in any domain, would have to type in their domain information.
Every product I have, that uses Active Directory for authentication, has the capability to use the Global Catalog. I can't figure out why SmoothWall does not.
Another explanation from the same developer:
"We support NTLM authentication, and the only way to verify an NTLM handshake
is via RPC using a computer account. This is implemented in Smoothwall using
Samba, which also manages things like failover between multiple domain
controllers and automatic Kerberos configuration. The authentication service
asks Samba to resolve the username, which makes the decision to use RPC
or LDAP. RPC is preferred in this case because it is compatible with
more versions of Windows; other tasks do use LDAP.
So Smoothwall has access to the same information that those other systems
have, but its searches are more specific because it doesn't assume that you
have ensured usernames are unique in the forest."
He and I were talking, and it's theoretically possible to make the Smoothwall assume usernames are unique, but that has obvious drawbacks if that's not true...
We've added it to our (long) list of ideas, along with a few other intriguing ideas that have come from this conversation - so thankyou very much!
Jay Duff commented
I understand the concern now. Our wireless BYOD solution (Ruckus) uses the GC, and can tell the differences between users by looking at the Distinguished Name rather than the SAMAccountName. It's on us to make sure that any user name overlaps are handled correctly. We make sure there aren't any.
I'm curious what the advantage of using RPC over LDAP (or even LDAPS) is. I imagine that's why you need a computer account set up when using the domain. I know my LDAP/S users (Ruckus, Destiny, Equitrac, Google Active Directory Sync, etc) don't need that. Switching might make installation slightly simpler, unless you're using the Active Directory connection for more than just AAA.
As for using Kerberos - I haven't had much experience with it, so I think I'll leave the testing of it to someone more qualified! :)
Glad to hear we were able to provide a work around!
I've been looking into your suggestion and one of our developers explained:
"Smoothwall actually uses RPC protocol to resolve usernames, not LDAP.
It has access to all user accounts, including those in other domains, but
the reason they have to qualify their name fully is to avoid ambiguity.
An unqualified username is unique within a domain, but two users in the forest
may have identical short names. This wouldn't change even if you used the global catalogue - the short names could still exist in multiple domains.
Here Smoothwall behaves in the same way as a Windows workstation would. If a
user logged into a workstation joined to a different domain, they would have
to qualify their username.
Users in a domain commonly authenticate using a single sign-on method,
such as Kerberos, NTLM, or a Kerberos login script, which means the domain
is specified automatically. "
So that might have been another solution - but would depend on your setup. If you're interesting in trying Kerberos login scripts (which is a relivitely new feature) then please contact support.
Jay Duff commented
Dennis, at your North Carolina location, pointed out that we can add each subdomain as an additional directory, and that is a viable workaround. However, using the Global Catalog is a much more elegant solution. I'll take this down to 1 vote though. :)