[RADIATOR] AuthByLSA group issue if DC controller is unavailable.

Johnson, Neil M neil-johnson at uiowa.edu
Fri Apr 3 11:34:17 CDT 2015


No, I do not have it set. We have multiple DCs for redundancy and scaling and I didn’t want to be tied to one particular DC.

However the last two nights when our Server Team performed some DC hardware migrations, users could not authenticate to the Wireless Service while a particular DC was unavailable.

The error in the log was “User Not Found”.


-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-johnson at uiowa.edu



> On Apr 3, 2015, at 10:28 AM, Robert Fisher <robert at sitestar.net> wrote:
> 
> Neil:
> 
> Would you please clarify, do you have the DomainController variable set?
> 
> The way I'm reading this code, it should call the GetAnyDomainController
> each time the sub routine is called unless that variable is set.
> 
> Robert Fisher
> Systems Administrator
> Sitestar Internet Services
> 
> On 4/3/2015 9:17 AM, Johnson, Neil M wrote:
>> We are having issues with Authentication failures using AuthByLSA when the workstation fails over to another Domain Controller.
>> 
>> The issue is that we do a group membership check in our AuthByLSA Handler.
>> 
>> It appears from the code below that if you don’t specify a DC it picks one the first time it checks for group membership and keeps using it even if the DC becomes
>> unavailable.
>> 
>> Code is from the method “userIsInGroup” in AuthByLSA.pm.
>> 
>> 
>>  # Find the controller to use
>>     my $controller = $self->{DomainController};
>>     if (!defined $controller)
>>     {
>> 	$controller = $self->{controllers}{$domain};
>> 	if (!defined $controller)
>> 	{
>> 	    &Win32::NetAdmin::GetAnyDomainController(undef, $domain, $controller);
>> 	    $self->{controllers}{$domain} = $controller;
>> 	}
>>     }
>>     $self->log($main::LOG_DEBUG, "Checking LSA Group membership for $controller, $group, $username");
>>     return &Win32::NetAdmin::GroupIsMember($controller, $group, $username)
>> 	|| &Win32::NetAdmin::LocalGroupIsMember($controller, $group, $username);
>> 
>> Is it possible to add code to check for a DC failure and then repeat the call to “Win32::NetAdmin::GetAnyDomainController” in this subroutine?
>> 
>> Thanks.
>> 
>> -Neil
>> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



More information about the radiator mailing list