redundant-load-balance for AD ntlmauth

Alan DeKok aland at
Mon Apr 29 14:48:55 CEST 2013

FreeRadius List wrote:
> I use redundant-load-balance for ldap user auth to authenticate users to
> a pool of active directory servers for one service. That seems to work well.

  Because the LDAP module maintains a long-lived connection to the LDAP

> I'm trying to think why I don't do that for ntlmauth (used inside mschap
> inner-tunnel) for another other service.

  It won't work for ntlm_auth.  That re-connects to Samba every time.

  Samba is responsible for maintaining long-lived connections to AD.  If
ntlm_auth fails, it's because (a) Samba is down, or (b) the AD server is

> I've knocked that up to test it with mschap modules like (with N being
> 1,2,3,4,5)
> mschap mschapadN {
>     with_ntdomain_hack = yes
>     ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}
> --configfile=/etc/samba/smb-adN.conf"
> }
> where /etc/samba/smb-adN.conf is the same as the others except for
> "password server = adN.domain"

  I'm not sure that will work.  You'll have to check with the Samba people.

> Is this along the lines that others follow?

  No.  I've never seen this before.

>  if not how does ntlmauth handle the AD server being down.  Does ntlmauth/winbind handle AD being
> down so freeradius does not have to?

  Samba handles it.

  Alan DeKok.

More information about the Freeradius-Users mailing list