On 03/05/2011 12:21 AM, Gary Gatten wrote:
I kinda like your caching idea, but not sure of any security
implications.
It's not a workable idea. MSCHAP responses are specific to the 8-byte
random challenge, which is different every time. You can't cache them.
I have (2) FR servers (each pointing to different DC) and my NAS's
are configured to use both. But, iirc if AD is down on the backend
FR still replies (with something) so the NAS never rolls over to the
other FR server.
Yes, this is a bad idea.
Just configure samba to autodiscover the AD controllers. Winbind will
cache connections and open new ones when the old ones go away.
So, I thought about some script that would use ntlm_auth every...n
seconds, if it fails kill FR process (or use FR policy to act dead).
When it starts working again, restart FR. This should make the NAS
roll to the next FR server.
That might work, but it seems like a sledgehammer to crack a nut.
What about OpenLDAP on the FR server that's "refreshed" / sync'd to
the winblows/AD? I've never tried this but assume it's doable.
It's not possible. AD controllers will only sync to other AD controllers.
At some point in the future, Samba 4 might be able to slave the LDAP
database of an AD controller, but it's purely theoretical at the moment
I think.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
