[RADIATOR] eap auth against active directory

[James Zee]

All,

I could use some pointers on where to go with an issue I'm having on our
Radiator servers for EAP authentication. I know that this question may
border a Samba-specific issue, but the Radiator community is pretty helpful
so I'm hoping someone may have run into something similar and can help me
out.

Because we're bouncing off of AD, we're relying on ntlm_auth to check a
user's credentials. Unfortunately our specific Active Directory environment
is *very* unstable with DCs randomly rebooting / being upgraded. This
results in issues when ntlm_auth is run, such as:

(a) NTLM Could not authenticate user 'USERNAME': NT_STATUS_IO_TIMEOUT
(b) NTLM Could not authenticate user 'USERNAME': Access denied

When things break badly and all ntlm_auth requests return one of these
errors, the only way to fix this is to unbind from the domain, then rebind
with a "net join".

The big issue here is that Samba / winbind seems to tie itself to *one*
domain controller -- it doesn't seem to automatically query another DC when
something breaks with the DC ntlm_auth is currently using.

Two big questions:

( i) is ntlm_auth the ONLY way to get AD / EAP authentication to work? From
what I've read, ntlm_auth is the only method because AD doesn't supply
passwords and even if it did the PW attribute is encrypted when it would
have to be in clear text, correct?

(ii) since I assume ntlm_auth is the only way to easily authenticate, has
anyone found a robust way to depend on Samba / winbind? Maybe some sort of
load balancing? Possibly setting up Samba as a DC that then has the
passwords stored locally as well?

Again, I know this question is pretty broad and may border a post that
should be in the Samba mailing list, but if someone could point me in the
right direction I'll head down that path. :)

Thanks!
-james
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120928/616a0c8b/attachment.html