The problem seems to be ntlm_auth doesnt see that the winbindd privileged pipe and winbindd socket is running in a custom directory. IIRC ntlm_auth connects to winbindd using the /tmp/.winbindd/pipe pipe, and then queries winbindd over that pipe what the location of the priv pipe is. So if you've got two winbindds both with /tmp/.winbindd/pipe, only one of those is going to work. Assuming the two copies of Samba were compiled with different locations then it might work. I'd be inclined to strace all the things and see what's really happening. I'd expect that if you built Samba and installed in /opt/samba1/ and /opt/samba2/ and then ran /opt/samba1/ntlm_auth and /opt/samba2/ntlm_auth that the locations would probably be separate and all would be OK. But running two copies of Samba on the same box is hardly a standard setup, so you're likely to be on your own. Or you could just proxy the RADIUS request to a separate VM with another instance of Samba on it and save the unusual setup. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi Matthew, Sorry I am back with this one. After digging through tons of samba source I have finally managed to reach a stage where Winbind is now running completely separately so just need to sort out ntlm_auth. Looking through the source code I stumbled upon the following file in nsswitch and saw your name as the author :) hope its the same Matthew :) nsswitch/wb_common.c Now previously it seems like it was possible to set the Winbind Socket directory via an environment variable ( http://samba.2283325.n4.nabble.com/NTLM-Authentication-against-multiple -domain-comtrollers-td3024825.html ) This seems to have gone now looking at the code static const char *winbindd_socket_dir(void) { if (nss_wrapper_enabled()) { const char *env_dir; env_dir = getenv("SELFTEST_WINBINDD_SOCKET_DIR"); if (env_dir != NULL) { return env_dir; } } return WINBINDD_SOCKET_DIR; } Can you see any issues if I changed this to return a custom environment variable instead ? Also from a FR perspective I am considering chrooting ntlm_auth ? Your help is much appreciated. Many Thanks Arnab Sent: Monday, May 22, 2017 at 12:37 PM From: "Matthew Newton" <mcn4@leicester.ac.uk> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: Freeradius Multiple Disjoint Ad Domains On Mon, May 22, 2017 at 01:27:53PM +0200, Arnab Roy wrote: - List info/subscribe/unsubscribe? See [1]http://www.freeradius.org/list/users.html References 1. http://www.freeradius.org/list/users.html