Grrr...
This is probably a Samba issue - a known one? - but I can't seem to get AD
authentications to hit multiple DCs. Everything goes to the one listed in
/etc/samba/smb.conf (which may be a coincidence).
I set up several mschap instances like so:
mschap mschap1 { ...
ntlm_auth -s /etc/samba/radius.smb1.conf
}
mschap mschap2 { ...
ntlm_auth -s /etc/samba/radius.smb2.conf
}
mschap mschap3 { ...
ntlm_auth -s /etc/samba/radius.smb3.conf
}
I also disabled all PAP, CHAP, and references to "mschap" in all virtual
servers listed in sites-enabled. There is currently no "mschap { ... }"
section in modules/mschap.
Added this to sites-enabled/campus-inner-tunnel where "mschap" was before:
redundant-load-balance {
mschap1
mschap2
mschap3
}
Authentication *works*, but all authentications go to the same DC (the one
specified in "mschap2"). Running "radiusd -X" shows that all mschap1/2/3
instances are being called, and no authentication *attempts* are being sent to
the other two domain controllers. (1 and 3 aren't failing. They just aren't
*tried*.)
Am I going about this all the wrong way? Is this a known limitation in Samba?
Is there something about ntlm_auth that always references /etc/samba/smb.conf,
regardless of the -s option?
Comments and criticisms welcome.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
