Backend Retry option

Phil Mayers p.mayers at imperial.ac.uk
Mon Mar 20 20:31:13 CET 2006 

Craig T. Hancock wrote:
> My specific concern is that in order to do PEAP authentication(which is 
> outside freeradiuses control) the ntlm_auth executable looks at smb.conf
> file to tell it where to send passwords using the smb.conf file 
> "password server" option which only allows for one server name.

Are you concerned that the smb.conf "password server" will be down? In 
which case, set it to "*" (and ensure your WINS or DNS for "security = 
ads" are reliable) or a space-separated "srv1 srv2".

Or are you wanting to potentially authenticate against different sets of 
domain controllers? In which case investigate the use of a cross-realm 
trust. If you are unable to do that, you can supply the "smb.conf" 
argument with "-s" to winbind, so you could instantiate >1 copy of the 
mschap module talking to >1 installation of samba:

modules {
   mschap mschap1 {
     authtype = MS-CHAP1
     ntlm_auth = "/path1/bin/ntlm_auth -s /path1/etc/smb.conf <REST>"
   }
   mschap mschap2 {
     authtype = MS-CHAP2
     ntlm_auth = "/path2/bin/ntlm_auth -s /path2/etc/smb.conf <REST>"
   }
}
authorize {
   preprocess
   # set the Autz-Type in the files module based on the user/realm
   files
   Autz-Type group1 {
     mschap1
   }
   Autz-Type group2 {
     mschap2
   }
}
authenticate {
   Auth-Type MS-CHAP1 {
     mschap1
   }
   Auth-Type MS-CHAP2 {
     mschap2
   }
}

> 
> Maybe this is inappropriate and I apologize, but correct me if i'm
> wrong when specifying the backend store in freeradius it only takes
> one server backend not multiple. So even if I were to spread the Radius
> load to multiple servers I still only have the option of one server
> per backend so I don't see how that address my overall issue?
> 
> Any advice is greatly appreciated.
> 
>>   Don't.  Load balance it by configuring load balancing in radiusd.conf.
>>
>>   Alan DeKok.
>> - List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
> 
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list