Re: [RADIATOR] AuthByLSA group issue if DC controller is unavailable.

[Johnson, Neil M]

No, I do not have it set. We have multiple DCs for redundancy and scaling and I 
didn’t want to be tied to one particular DC.

However the last two nights when our Server Team performed some DC hardware 
migrations, users could not authenticate to the Wireless Service while a 
particular DC was unavailable.

The error in the log was “User Not Found”.


-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu



 On Apr 3, 2015, at 10:28 AM, Robert Fisher rob...@sitestar.net wrote:
 
 Neil:
 
 Would you please clarify, do you have the DomainController variable set?
 
 The way I'm reading this code, it should call the GetAnyDomainController
 each time the sub routine is called unless that variable is set.
 
 Robert Fisher
 Systems Administrator
 Sitestar Internet Services
 
 On 4/3/2015 9:17 AM, Johnson, Neil M wrote:
 We are having issues with Authentication failures using AuthByLSA when the 
 workstation fails over to another Domain Controller.
 
 The issue is that we do a group membership check in our AuthByLSA Handler.
 
 It appears from the code below that if you don’t specify a DC it picks one 
 the first time it checks for group membership and keeps using it even if the 
 DC becomes
 unavailable.
 
 Code is from the method “userIsInGroup” in AuthByLSA.pm.
 
 
  # Find the controller to use
 my $controller = $self-{DomainController};
 if (!defined $controller)
 {
  $controller = $self-{controllers}{$domain};
  if (!defined $controller)
  {
  Win32::NetAdmin::GetAnyDomainController(undef, $domain, 
 $controller);
  $self-{controllers}{$domain} = $controller;
  }
 }
 $self-log($main::LOG_DEBUG, Checking LSA Group membership for 
 $controller, $group, $username);
 return Win32::NetAdmin::GroupIsMember($controller, $group, $username)
  || Win32::NetAdmin::LocalGroupIsMember($controller, $group, $username);
 
 Is it possible to add code to check for a DC failure and then repeat the 
 call to “Win32::NetAdmin::GetAnyDomainController” in this subroutine?
 
 Thanks.
 
 -Neil
 
 
 ___
 radiator mailing list
 radiator@open.com.au
 http://www.open.com.au/mailman/listinfo/radiator

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthByLSA group issue if DC controller is unavailable.

[Robert Fisher]

Rereading the code, I see what you're talking about.   Although, after 
looking
at the Win32::NetAdmin module, I don't see any direct support for DC
failover, or even detecting when a DC is unavailable -- While I do see where
you could use the Win32::NetAdmin::GetServers to list the PDC and BDC --
I don't see how you would have it inform the code to retry against the
second server.   Sadly the MSDN pages for the GetDomainController method
does not seem to share any light on this either.

The only thing I've found about reliably testing the availability of a DC
is to make a DNS SRV and LDAP query outside of the Win32 heirarchy.

What comes to mind, is you could try commenting out the second if block
and the references to $self-${controllers}{$domain} to force it to call the
GetAnyDomainControllers each time.

Two real issues with that approach...The first is that since I can't 
find the
documentation for the underlying C library, I don't know if that search
would include inactive DCs or not, and I don't have an AD environment
to test it on directly.

The second issue is that it obviously pushes the processing time per
request up; although hopefully not by much.

Robert Fisher
Systems Administrator
Sitestar Internet Services

On 4/3/2015 11:34 AM, Johnson, Neil M wrote:
 No, I do not have it set. We have multiple DCs for redundancy and scaling and 
 I didn’t want to be tied to one particular DC.

 However the last two nights when our Server Team performed some DC hardware 
 migrations, users could not authenticate to the Wireless Service while a 
 particular DC was unavailable.

 The error in the log was “User Not Found”.


 -Neil


___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator