[RADIATOR] eap auth against active directory

David Zych dmrz at illinois.edu
Mon Oct 1 17:32:55 CDT 2012 

> Because we're bouncing off of AD, we're relying on ntlm_auth to check a
> user's credentials. Unfortunately our specific Active Directory environment
> is *very* unstable with DCs randomly rebooting / being upgraded. This
> results in issues when ntlm_auth is run, such as:
> 
> (a) NTLM Could not authenticate user 'USERNAME': NT_STATUS_IO_TIMEOUT
> (b) NTLM Could not authenticate user 'USERNAME': Access denied
> 
> When things break badly and all ntlm_auth requests return one of these
> errors, the only way to fix this is to unbind from the domain, then rebind
> with a "net join".

Have you tried simply restarting winbind?  Though our AD is fairly
stable, I still see these symptoms from time to time, but in my case
restarting winbind (via its init.d script) causes ntlm_auth to work
again without having to actually rejoin the domain.

> The big issue here is that Samba / winbind seems to tie itself to *one*
> domain controller -- it doesn't seem to automatically query another DC when
> something breaks with the DC ntlm_auth is currently using.

This may or may not be relevant (I'm no AD or samba expert), but I have
in my smb.conf:

password server = *

as opposed to specifying a single DC.  I suspect that perhaps this helps
winbind to pick a different DC when I restart it.

I also notice that /var/lib/samba/smb_krb5/krb5.conf.MYDOMAINHERE has a
bunch of different "kdc" IPs listed under the realm, which strikes me as
a good and useful thing.  I didn't do anything manually to make that
happen, though; this file was automatically generated by samba (I think
when I first joined each linux box to the domain).

> (ii) since I assume ntlm_auth is the only way to easily authenticate, has
> anyone found a robust way to depend on Samba / winbind?

The secret to my success is a cron script on each server which tests
that full MSCHAP authentication vs AD (using the Samba secure pipe) is
working properly and, if not, restarts winbind in an attempt to
self-heal.  This nips a lot of problems in the bud within 1 minute with
no human intervention required.

Hope this helps at least somewhat,
David

More information about the radiator mailing list