redundant-load-balance for AD ntlmauth

Tue Apr 30 00:03:42 CEST 2013

Thank you I'll check with the samba people and get a better understanding
of how ntlm_auth works.
On 29 Apr 2013 13:58, "Alan DeKok" <aland at deployingradius.com> wrote:

> FreeRadius List wrote:
> > I use redundant-load-balance for ldap user auth to authenticate users to
> > a pool of active directory servers for one service. That seems to work
> well.
>
>   Because the LDAP module maintains a long-lived connection to the LDAP
> server.
>
> > I'm trying to think why I don't do that for ntlmauth (used inside mschap
> > inner-tunnel) for another other service.
>
>   It won't work for ntlm_auth.  That re-connects to Samba every time.
>
>   Samba is responsible for maintaining long-lived connections to AD.  If
> ntlm_auth fails, it's because (a) Samba is down, or (b) the AD server is
> down.
>
> > I've knocked that up to test it with mschap modules like (with N being
> > 1,2,3,4,5)
> >
> > mschap mschapadN {
> >     with_ntdomain_hack = yes
> >     ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key
> > --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
> > --challenge=%{mschap:Challenge:-00}
> > --nt-response=%{mschap:NT-Response:-00}
> > --configfile=/etc/samba/smb-adN.conf"
> > }
> >
> > where /etc/samba/smb-adN.conf is the same as the others except for
> > "password server = adN.domain"
>
>   I'm not sure that will work.  You'll have to check with the Samba people.
>
> > Is this along the lines that others follow?
>
>   No.  I've never seen this before.
>
> >  if not how does ntlmauth handle the AD server being down.  Does
> ntlmauth/winbind handle AD being
> > down so freeradius does not have to?
>
>   Samba handles it.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130429/ec1dfed5/attachment.html>