FreeRadius List wrote:
> I use redundant-load-balance for ldap user auth to authenticate users to
> a pool of active directory servers for one service. That seems to work well.
Because the LDAP module maintains a long-lived connection to the LDAP
server.
> I'm trying to think why I don't do that for ntlmauth (used inside mschap
> inner-tunnel) for another other service.
It won't work for ntlm_auth. That re-connects to Samba every time.
Samba is responsible for maintaining long-lived connections to AD. If
ntlm_auth fails, it's because (a) Samba is down, or (b) the AD server is
down.
> I've knocked that up to test it with mschap modules like (with N being
> 1,2,3,4,5)
>
> mschap mschapadN {
> with_ntdomain_hack = yes
> ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}
> --configfile=/etc/samba/smb-adN.conf"
> }
>
> where /etc/samba/smb-adN.conf is the same as the others except for
> "password server = adN.domain"
I'm not sure that will work. You'll have to check with the Samba people.
> Is this along the lines that others follow?
No. I've never seen this before.
> if not how does ntlmauth handle the AD server being down. Does
> ntlmauth/winbind handle AD being
> down so freeradius does not have to?
Samba handles it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
