redundant load balancing and mschap

McNutt, Justin M. McNuttJ at
Sat Aug 25 00:35:36 CEST 2012

Alan D. and Alan B. are correct.  Whatever this is, it isn't FreeRADIUS that isn't behaving.  Radiusd -XC shows that pretty conclusively.  At this point, if any of you are using Samba/ntlm_auth to handle the back-end authentication for FreeRADIUS, your advice is welcome, but it's definitely a Samba issue at this point.  (Possibly even a Kerberos issue, though the way Samba does Kerberos is a little... odd...)

Fortunately, the only Samba-related daemons actually running on my FR host are the two instances of winbindd.  Smbd and nmbd are not in the process list.  (Actually, my server admins have been doing their jobs.  There isn't much in the process list AT ALL.  But I digress...)

Attempts to use the -s option with ntlm_auth to force the "password server" option in smb.conf to vary have failed.

Setting multiple servers in the main smb.conf is an option:

  password server = server1 server2 server3

...however, ntlm_auth doesn't seem to use them.  For whatever reason, it seems to always talk to server1, even when only server2 is listed in any config file I can find.

Queries to domain controllers on port 3269 DO seem to round-robin, though I couldn't tell you why for sure.

Any advice is welcome, though technically off-topic at this point.  I'm going to have to hack on Samba until it gives me what I want.


-----Original Message-----
From: at [ at] On Behalf Of alan buxey
Sent: Friday, August 24, 2012 3:59 PM
To: FreeRadius users mailing list
Subject: Re: redundant load balancing and mschap


>    Authentication *works*, but all authentications go to the same DC (the one
>    specified in "mschap2").  Running "radiusd -X" shows that all mschap1/2/3
>    instances are being called, and no authentication *attempts* are being
>    sent to the other two domain controllers.  (1 and 3 aren't failing.  They
>    just aren't *tried*.)

i would advise to increase debuggin in smbd/winbindd and for ntlm_auth

also check your samba and kerberos configs to see how you are querying the KDC - are you specifying particular names?  It could be that your client did a DNS lookup, cached that answer and doesnt want to use anything else - a few entries in /etc/hosts might be in order

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list