redundant load balancing and mschap

Phil Mayers p.mayers at
Fri Aug 24 23:23:26 CEST 2012

On 08/24/2012 08:11 PM, McNutt, Justin M. wrote:
> Grrr...
> This is probably a Samba issue - a known one? - but I can't seem to get
> AD authentications to hit multiple DCs.  Everything goes to the one

This is indeed a Samba issue, and unfortunately a hard one to fix.

ntlm_auth doesn't talk over the network - rather, it talks over a Unix 
socket to winbind. Winbind maintains a *single* open session to a DC, 
and sends all the domain RPCs down this pipe.

Winbind discovers the DC from the AD subnet/site queries and builds an 
app-specific kerberos config that will show you this - see 

If you want to force connections to separate domain controllers, you'll 
need separate smbd/winbindd instances running, with their own unix 
sockets and smb.conf setups. This will probably be hard, and fragile.

My advice - don't, unless you really really need to.

More information about the Freeradius-Users mailing list