We have two Samba 4.2.3 servers with FreeRadius to authenticate wireless users against active directory. Using DNS, sometimes both servers end up using the same domain controller to authenticate users. I would like to distribute the load to different DCs. Is there a way to manually point Samba to certain DCs? I tried the following configuration: security = ads password server = dc05.cfs.uoguelph.ca realm = cfs.uoguelph.ca But after restarted the smb, nmb and winbind servers, the server is still using the old DC for authentication(not switching to dc05.cfs.uoguelph.ca). Any ideas? Thanks! Dennis Xu
Hi, I see you have had no replies as of yet.. Can you clarify the scenario - is freeradius installed on both of your samba servers, and configured to authenticate against the local samba server for active directory integration? Or is the scenario something different? I use freeradius here; each of my DCs has freeradius installed and configured to use the local samba server. But it's down to my radius clients to pick the correct DC / radius server to authenticate against, if I want to spread the load.. J On 8 April 2016 at 21:19, Dennis Xu <dxu at uoguelph.ca> wrote:> We have two Samba 4.2.3 servers with FreeRadius to authenticate wireless > users against active directory. Using DNS, sometimes both servers end up > using the same domain controller to authenticate users. I would like to > distribute the load to different DCs. Is there a way to manually point > Samba to certain DCs? > > I tried the following configuration: > security = ads > password server = dc05.cfs.uoguelph.ca > realm = cfs.uoguelph.ca > > But after restarted the smb, nmb and winbind servers, the server is still > using the old DC for authentication(not switching to dc05.cfs.uoguelph.ca). > Any ideas? > > Thanks! > > > Dennis Xu > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Hi Jonathan, Thank you for your reply. I have FreeRadius installed on both Samba servers and authenticate to Active Directory domain controllers(not the local Samba server). In this scenario, there is possibility that both Samba servers pick up the same domain controller(using DNS resolution) to authenticate which could cause uneven load problem. Dennis Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 dxu at uoguelph.ca www.uoguelph.ca/ccs ----- Original Message ----- From: "Jonathan Hunter" <jmhunter1 at gmail.com> To: "samba" <samba at lists.samba.org> Sent: Sunday, April 10, 2016 8:56:05 PM Subject: Re: [Samba] how to manually specify domain controllers Hi, I see you have had no replies as of yet.. Can you clarify the scenario - is freeradius installed on both of your samba servers, and configured to authenticate against the local samba server for active directory integration? Or is the scenario something different? I use freeradius here; each of my DCs has freeradius installed and configured to use the local samba server. But it's down to my radius clients to pick the correct DC / radius server to authenticate against, if I want to spread the load.. J On 8 April 2016 at 21:19, Dennis Xu <dxu at uoguelph.ca> wrote:> We have two Samba 4.2.3 servers with FreeRadius to authenticate wireless > users against active directory. Using DNS, sometimes both servers end up > using the same domain controller to authenticate users. I would like to > distribute the load to different DCs. Is there a way to manually point > Samba to certain DCs? > > I tried the following configuration: > security = ads > password server = dc05.cfs.uoguelph.ca > realm = cfs.uoguelph.ca > > But after restarted the smb, nmb and winbind servers, the server is still > using the old DC for authentication(not switching to dc05.cfs.uoguelph.ca). > Any ideas? > > Thanks! > > > Dennis Xu > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
If you would share your setup, that would be very nice. Im planning the same, i'll learn from any example. You can use a "round-robin" dns entry for the radius if freeradius dont give the option to use multiple hostname in "uri" and not "host" Best regards, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dennis Xu > Verzonden: maandag 11 april 2016 14:55 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] how to manually specify domain controllers > > Hi Jonathan, > > Thank you for your reply. I have FreeRadius installed on both Samba > servers and authenticate to Active Directory domain controllers(not the > local Samba server). In this scenario, there is possibility that both > Samba servers pick up the same domain controller(using DNS resolution) to > authenticate which could cause uneven load problem. > > Dennis > > > > Dennis Xu, MASc, CCIE #13056 > Analyst 3, Network Infrastructure > Computing and Communications Services(CCS) > University of Guelph > > 519-824-4120 Ext 56217 > dxu at uoguelph.ca > www.uoguelph.ca/ccs > > ----- Original Message ----- > > From: "Jonathan Hunter" <jmhunter1 at gmail.com> > To: "samba" <samba at lists.samba.org> > Sent: Sunday, April 10, 2016 8:56:05 PM > Subject: Re: [Samba] how to manually specify domain controllers > > Hi, > > I see you have had no replies as of yet.. Can you clarify the scenario - > is > freeradius installed on both of your samba servers, and configured to > authenticate against the local samba server for active directory > integration? Or is the scenario something different? > > I use freeradius here; each of my DCs has freeradius installed and > configured to use the local samba server. But it's down to my radius > clients to pick the correct DC / radius server to authenticate against, if > I want to spread the load.. > > J > > On 8 April 2016 at 21:19, Dennis Xu <dxu at uoguelph.ca> wrote: > > > We have two Samba 4.2.3 servers with FreeRadius to authenticate wireless > > users against active directory. Using DNS, sometimes both servers end up > > using the same domain controller to authenticate users. I would like to > > distribute the load to different DCs. Is there a way to manually point > > Samba to certain DCs? > > > > I tried the following configuration: > > security = ads > > password server = dc05.cfs.uoguelph.ca > > realm = cfs.uoguelph.ca > > > > But after restarted the smb, nmb and winbind servers, the server is > still > > using the old DC for authentication(not switching to > dc05.cfs.uoguelph.ca). > > Any ideas? > > > > Thanks! > > > > > > Dennis Xu > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > "If we knew what it was we were doing, it would not be called research, > would it?" > - Albert Einstein > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 08/04/16 21:19, Dennis Xu wrote:> We have two Samba 4.2.3 servers with FreeRadius to authenticate wireless users against active directory. Using DNS, sometimes both servers end up using the same domain controller to authenticate users. I would like to distribute the load to different DCs. Is there a way to manually point Samba to certain DCs? > > I tried the following configuration: > security = ads > password server = dc05.cfs.uoguelph.ca > realm = cfs.uoguelph.ca > > But after restarted the smb, nmb and winbind servers, the server is still using the old DC for authentication(not switching to dc05.cfs.uoguelph.ca). Any ideas? > > Thanks! > > > Dennis XuI don't think you can do this, a quick google found this: http://www.windowsnetworking.com/kbase/WindowsTips/Windows7/AdminTips/ActiveDirectory/Hardcodingthelogondomaincontroller.html Rowland
On 11 April 2016 at 15:28, Rowland penny <rpenny at samba.org> wrote:> On 08/04/16 21:19, Dennis Xu wrote: > >> We have two Samba 4.2.3 servers with FreeRadius to authenticate wireless >> users against active directory. Using DNS, sometimes both servers end up >> using the same domain controller to authenticate users. I would like to >> distribute the load to different DCs. Is there a way to manually point >> Samba to certain DCs? >> > I don't think you can do this, a quick google found this: > > > http://www.windowsnetworking.com/kbase/WindowsTips/Windows7/AdminTips/ActiveDirectory/Hardcodingthelogondomaincontroller.html > > I think that refers more to a Windows client (or indeed one such as sssdthat behaves in the same manner), it doesn't mean that if your client can be given a hardcoded DNS name it wouldn't work, as such. My personal setup is to have freeradius running on each of my domain controllers. My RADIUS clients (network switches, access points etc.) all point at multiple domain controllers, allowing the clients to fail over if a RADIUS server doesn't respond. My /etc/freeradius/modules/mschap file contains: ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" The theory of operation being, if a domain controller fails completely then the client will not get a response from freeradius, and it will query the next domain controller in turn. This does work. I suppose, if freeradius is running on the DC but samba isn't, and ntlm_auth picks the local server for AD authentication and fails, then the authentication attempt would fail. That hasn't happened to me yet, but I'm not clear how ntlm_auth picks a DC to authenticate against.. I was kind of assuming it would use 'localhost' but I'm not sure now. Dennis - I'm still not totally clear as to your scenario, do you have something like this: Samba server S1, S2 Windows AD server W1, W2 RADIUS client devices C1, C2 with C1, C2 configured to use S1, S2 as RADIUS servers, and freeradius on S1, S2 configured to authenticate against W1, W2 (how?) ? Cheers Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein