FreeRadius List wrote:
I use redundant-load-balance for ldap user auth to authenticate users to a pool of active directory servers for one service. That seems to work well.
Because the LDAP module maintains a long-lived connection to the LDAP server.
I'm trying to think why I don't do that for ntlmauth (used inside mschap inner-tunnel) for another other service.
It won't work for ntlm_auth. That re-connects to Samba every time. Samba is responsible for maintaining long-lived connections to AD. If ntlm_auth fails, it's because (a) Samba is down, or (b) the AD server is down.
I've knocked that up to test it with mschap modules like (with N being 1,2,3,4,5)
mschap mschapadN { with_ntdomain_hack = yes ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --configfile=/etc/samba/smb-adN.conf" }
where /etc/samba/smb-adN.conf is the same as the others except for "password server = adN.domain"
I'm not sure that will work. You'll have to check with the Samba people.
Is this along the lines that others follow?
No. I've never seen this before.
if not how does ntlmauth handle the AD server being down. Does ntlmauth/winbind handle AD being down so freeradius does not have to?
Samba handles it. Alan DeKok.