[RADIATOR] AuthByLSA group issue if DC controller is unavailable.

[Robert Fisher]

Neil:

Would you please clarify, do you have the DomainController variable set?

The way I'm reading this code, it should call the GetAnyDomainController
each time the sub routine is called unless that variable is set.

Robert Fisher
Systems Administrator
Sitestar Internet Services

On 4/3/2015 9:17 AM, Johnson, Neil M wrote:
> We are having issues with Authentication failures using AuthByLSA when the workstation fails over to another Domain Controller.
>
> The issue is that we do a group membership check in our AuthByLSA Handler.
>
> It appears from the code below that if you don’t specify a DC it picks one the first time it checks for group membership and keeps using it even if the DC becomes
> unavailable.
>
> Code is from the method “userIsInGroup” in AuthByLSA.pm.
>
>
>   # Find the controller to use
>      my $controller = $self->{DomainController};
>      if (!defined $controller)
>      {
> 	$controller = $self->{controllers}{$domain};
> 	if (!defined $controller)
> 	{
> 	    &Win32::NetAdmin::GetAnyDomainController(undef, $domain, $controller);
> 	    $self->{controllers}{$domain} = $controller;
> 	}
>      }
>      $self->log($main::LOG_DEBUG, "Checking LSA Group membership for $controller, $group, $username");
>      return &Win32::NetAdmin::GroupIsMember($controller, $group, $username)
> 	|| &Win32::NetAdmin::LocalGroupIsMember($controller, $group, $username);
>
> Is it possible to add code to check for a DC failure and then repeat the call to “Win32::NetAdmin::GetAnyDomainController” in this subroutine?
>
> Thanks.
>
> -Neil
>