Craig T. Hancock wrote:
My specific concern is that in order to do PEAP authentication(which is outside freeradiuses control) the ntlm_auth executable looks at smb.conf file to tell it where to send passwords using the smb.conf file "password server" option which only allows for one server name.

Are you concerned that the smb.conf "password server" will be down? In which case, set it to "*" (and ensure your WINS or DNS for "security = ads" are reliable) or a space-separated "srv1 srv2".

Or are you wanting to potentially authenticate against different sets of domain controllers? In which case investigate the use of a cross-realm trust. If you are unable to do that, you can supply the "smb.conf" argument with "-s" to winbind, so you could instantiate >1 copy of the mschap module talking to >1 installation of samba:

modules {
  mschap mschap1 {
    authtype = MS-CHAP1
    ntlm_auth = "/path1/bin/ntlm_auth -s /path1/etc/smb.conf <REST>"
  }
  mschap mschap2 {
    authtype = MS-CHAP2
    ntlm_auth = "/path2/bin/ntlm_auth -s /path2/etc/smb.conf <REST>"
  }
}
authorize {
  preprocess
  # set the Autz-Type in the files module based on the user/realm
  files
  Autz-Type group1 {
    mschap1
  }
  Autz-Type group2 {
    mschap2
  }
}
authenticate {
  Auth-Type MS-CHAP1 {
    mschap1
  }
  Auth-Type MS-CHAP2 {
    mschap2
  }
}


Maybe this is inappropriate and I apologize, but correct me if i'm
wrong when specifying the backend store in freeradius it only takes
one server backend not multiple. So even if I were to spread the Radius
load to multiple servers I still only have the option of one server
per backend so I don't see how that address my overall issue?

Any advice is greatly appreciated.

  Don't.  Load balance it by configuring load balancing in radiusd.conf.

  Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to