Craig T. Hancock wrote:
My specific concern is that in order to do PEAP authentication(which is
outside freeradiuses control) the ntlm_auth executable looks at smb.conf
file to tell it where to send passwords using the smb.conf file
"password server" option which only allows for one server name.
Are you concerned that the smb.conf "password server" will be down? In
which case, set it to "*" (and ensure your WINS or DNS for "security =
ads" are reliable) or a space-separated "srv1 srv2".
Or are you wanting to potentially authenticate against different sets of
domain controllers? In which case investigate the use of a cross-realm
trust. If you are unable to do that, you can supply the "smb.conf"
argument with "-s" to winbind, so you could instantiate >1 copy of the
mschap module talking to >1 installation of samba:
modules {
mschap mschap1 {
authtype = MS-CHAP1
ntlm_auth = "/path1/bin/ntlm_auth -s /path1/etc/smb.conf <REST>"
}
mschap mschap2 {
authtype = MS-CHAP2
ntlm_auth = "/path2/bin/ntlm_auth -s /path2/etc/smb.conf <REST>"
}
}
authorize {
preprocess
# set the Autz-Type in the files module based on the user/realm
files
Autz-Type group1 {
mschap1
}
Autz-Type group2 {
mschap2
}
}
authenticate {
Auth-Type MS-CHAP1 {
mschap1
}
Auth-Type MS-CHAP2 {
mschap2
}
}
Maybe this is inappropriate and I apologize, but correct me if i'm
wrong when specifying the backend store in freeradius it only takes
one server backend not multiple. So even if I were to spread the Radius
load to multiple servers I still only have the option of one server
per backend so I don't see how that address my overall issue?
Any advice is greatly appreciated.
Don't. Load balance it by configuring load balancing in radiusd.conf.
Alan DeKok.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
