redundant load balancing and mschap
McNutt, Justin M.
McNuttJ at missouri.edu
Sat Aug 25 01:30:33 CEST 2012
Because there are so many "files" (pipes, actual files, etc.) whose locations are hard-coded into winbind, the only way to even begin to try to run multiple instances of winbind would be through chroot-ed setups, which would probably mean that ntlm_auth would also have to run in the same chroot-ed environment in order to locate the correct pipe.
Messy. And that's still assuming that I can force a given instance of winbind to talk to the DC I want. Need to start from that angle and see where I get.
--J
-----Original Message-----
From: freeradius-users-bounces+mcnuttj=missouri.edu at lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu at lists.freeradius.org] On Behalf Of Phil Mayers
Sent: Friday, August 24, 2012 4:23 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: redundant load balancing and mschap
On 08/24/2012 08:11 PM, McNutt, Justin M. wrote:
> Grrr...
> This is probably a Samba issue - a known one? - but I can't seem to
> get AD authentications to hit multiple DCs. Everything goes to the
> one
This is indeed a Samba issue, and unfortunately a hard one to fix.
ntlm_auth doesn't talk over the network - rather, it talks over a Unix socket to winbind. Winbind maintains a *single* open session to a DC, and sends all the domain RPCs down this pipe.
Winbind discovers the DC from the AD subnet/site queries and builds an app-specific kerberos config that will show you this - see /var/lib/samba/smb_krb5/krb5.conf.<DOMNAME>
If you want to force connections to separate domain controllers, you'll need separate smbd/winbindd instances running, with their own unix sockets and smb.conf setups. This will probably be hard, and fragile.
My advice - don't, unless you really really need to.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list