redundant load balancing and mschap

[McNutt, Justin M.]

Because there are so many "files" (pipes, actual files, etc.) whose locations are hard-coded into winbind, the only way to even begin to try to run multiple instances of winbind would be through chroot-ed setups, which would probably mean that ntlm_auth would also have to run in the same chroot-ed environment in order to locate the correct pipe.

Messy.  And that's still assuming that I can force a given instance of winbind to talk to the DC I want.  Need to start from that angle and see where I get.

--J

-----Original Message-----
From: freeradius-users-bounces+mcnuttj=missouri.edu at lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu at lists.freeradius.org] On Behalf Of Phil Mayers
Sent: Friday, August 24, 2012 4:23 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: redundant load balancing and mschap

On 08/24/2012 08:11 PM, McNutt, Justin M. wrote:
> Grrr...
> This is probably a Samba issue - a known one? - but I can't seem to 
> get AD authentications to hit multiple DCs.  Everything goes to the 
> one

This is indeed a Samba issue, and unfortunately a hard one to fix.

ntlm_auth doesn't talk over the network - rather, it talks over a Unix socket to winbind. Winbind maintains a *single* open session to a DC, and sends all the domain RPCs down this pipe.

Winbind discovers the DC from the AD subnet/site queries and builds an app-specific kerberos config that will show you this - see /var/lib/samba/smb_krb5/krb5.conf.<DOMNAME>

If you want to force connections to separate domain controllers, you'll need separate smbd/winbindd instances running, with their own unix sockets and smb.conf setups. This will probably be hard, and fragile.

My advice - don't, unless you really really need to.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html