[RADIATOR] AuthByLSA group issue if DC controller is unavailable.
Johnson, Neil M
neil-johnson at uiowa.edu
Fri Apr 3 09:17:03 CDT 2015
We are having issues with Authentication failures using AuthByLSA when the workstation fails over to another Domain Controller.
The issue is that we do a group membership check in our AuthByLSA Handler.
It appears from the code below that if you don’t specify a DC it picks one the first time it checks for group membership and keeps using it even if the DC becomes
unavailable.
Code is from the method “userIsInGroup” in AuthByLSA.pm.
# Find the controller to use
my $controller = $self->{DomainController};
if (!defined $controller)
{
$controller = $self->{controllers}{$domain};
if (!defined $controller)
{
&Win32::NetAdmin::GetAnyDomainController(undef, $domain, $controller);
$self->{controllers}{$domain} = $controller;
}
}
$self->log($main::LOG_DEBUG, "Checking LSA Group membership for $controller, $group, $username");
return &Win32::NetAdmin::GroupIsMember($controller, $group, $username)
|| &Win32::NetAdmin::LocalGroupIsMember($controller, $group, $username);
Is it possible to add code to check for a DC failure and then repeat the call to “Win32::NetAdmin::GetAnyDomainController” in this subroutine?
Thanks.
-Neil
--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-johnson at uiowa.edu
More information about the radiator
mailing list