The underlying problem is that I have four production RADIUS servers that all seem to choose the same domain controller, which is not only a lot of load, but it's a bad idea in terms of fault tolerance.
I may try just making each server "choose" a separate DC as its default, for starters, which would get me most of the way there. The wireless controllers that authenticate against the RADIUS servers *themselves* round-robin among the RADIUS servers, so if one of them - or even two of them - were talking to a DC that is down, a given user's machine is likely to re-attempt authentication and succeed eventually. We'd hear a lot of complaints that "getting on wireless is slow" but things would *work*. Anyway, thanks for the insight. I'll keep banging on it. If I get an elegant - or at least *stable* - configuration, I'll post something about it here. --J -----Original Message----- From: freeradius-users-bounces+mcnuttj=missouri....@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri....@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, August 24, 2012 4:23 PM To: [email protected] Subject: Re: redundant load balancing and mschap On 08/24/2012 08:11 PM, McNutt, Justin M. wrote: > Grrr... > This is probably a Samba issue - a known one? - but I can't seem to > get AD authentications to hit multiple DCs. Everything goes to the > one This is indeed a Samba issue, and unfortunately a hard one to fix. ntlm_auth doesn't talk over the network - rather, it talks over a Unix socket to winbind. Winbind maintains a *single* open session to a DC, and sends all the domain RPCs down this pipe. Winbind discovers the DC from the AD subnet/site queries and builds an app-specific kerberos config that will show you this - see /var/lib/samba/smb_krb5/krb5.conf.<DOMNAME> If you want to force connections to separate domain controllers, you'll need separate smbd/winbindd instances running, with their own unix sockets and smb.conf setups. This will probably be hard, and fragile. My advice - don't, unless you really really need to. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
