Hello Leonardo, It was the first iteration of the ntlm auth api, we will be improving the process to be resilient to multi DCs.
Thanks, Ludovic Zammit Product Support Engineer Principal Lead Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Jun 25, 2024, at 9:15 AM, Leonardo Secci via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Hi, > > having to upgrade an instance of packetfence 10.3 to version 13.2, I > encountered restrictions that made me think about rethinking the way Active > Directory domain controllers have been integrated. > > Previously for defining the Active Directory domain (Configuration->Policies > and access control->Domains->Active Directory Domains) it was possible to > specify the parameter "Active Directory server" in which the FQDN was entered > that refers to a type A record in the DNS that lists all Domain Controller IP > addresses on the network. > > I assume that since PacketFence version 13.1, in which the NTLM management > mode has changed, the fields "Active Directory FQDN" and "Active Directory > IP" can be set togeder for Active Directory domain configuration. > > The "Active Directory IP" field is declared as optional, but although > apparently the records of FQDN on DNS are present, the lack of the same > produces the error "ad_server: Please specify the IPv4 of the Active > Directory server." > > Also, if in the "Active Directory FQDN" field the value used so far is set > and pointing to the record with multiple IPs, once the settings are saved and > the ntlm-auth-api service is restarted the JOIN fails, the following error > appears on the log: > > Failed to bind to uuid 12345678-1234-abcd-ef00-01234567cffb for > ncacn_np:comune.intranet[\pipe\netlogon,seal,schannel,abstract_syntax=12345678-1234-abcd-ef00-01234567cffb/0x00000001] > NT_STATUS_INVALID_COMPUTER_NAME > > Instead, by using an FQDN pointing to a single Domain Controller IP and also > valuing the "Active Directory IP" field, one is able to finalize the JOIN on > Active Directory without running into errors. > > At this point, I am wondering how to reliably configure the domain in > PaciketFence taking into account that a specific Domain Controller may be > unavailable, for example because it is undergoing maintenance, without > risking NAC service outages. > > Best regards. > Leonardo > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RBoxT6WD8hJlpqG_DtdYRM1mlK_qRPuqWBV_E_NnrRxCGMG0wftYShAvAtp5REUqvxWKmGMktdiqUXtsu2JBjjQIijK8brixQEV49g$
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
