[Samba] Wireless Production Servers Authentication of Active Directory with Inconsistent NTLM Auth Failures

Paul Taylor ptaylor at scu.edu.au
Wed Sep 14 01:17:41 MDT 2011 

Hi 

I work for a medium sized University and have recently set up some new infrastructure to authenticate our wireless users of Active Directory. Every thing was working as expected or so I thought. I set up a monitoring script that performs an ntlm_auth every minute and it shows that the authentication is failing inconsistently but for around 5 minutes at a time (see below). 

There are two development servers that I am trialling different configurations with to test.

The architecture is currently 5 RHEL5 64bit servers running Radiator 4.4 authenticating off of Active Directory. The database resides on Oracle 11.2g RAC. The service is load balance behind a BIG-IP 6900.
 
DESIGN
All servers will be load balanced behind the BIG-IP. 
2 production servers Lismore
2 production servers Tweed
1 production server Coffs Harbour
Database residing on Oracle RAC 11.2g

CONFIGURATION
Radiator 4.4 using NTLM EAP PEAP
SAMBA 3.0.33-3.29 (ntlm_auth)

BIG-IP
Two Virtual Servers. One for auth port. One for accounting port.
Production Radius Pool = 5 servers
Load balanced method Round Robin
Monitors
1. Built in monitors for auth and accounting.

radiusdev1
smb.conf
[global]
	workgroup = ROOT
	realm = SCU.AD
	security = ADS
        password server = *

[homes]
	comment = Home Directories
	read only = No
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No

krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SCU.AD
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 SCU.AD = {
  kdc = lp-server2-wv.scu.ad
  admin_server = lp-server2-wv.scu.ad
  default_domain = scu.ad
 }

[domain_realm]
 .kerberos.server = SCU.AD
 .scu.ad = SCU.AD

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Mon Sep 12 00:38:08
Mon Sep 12 00:38:09
Mon Sep 12 00:39:09
Mon Sep 12 00:39:09
Mon Sep 12 00:40:09
Mon Sep 12 00:40:09
Mon Sep 12 00:41:09
Mon Sep 12 00:41:09
Mon Sep 12 00:42:09
Mon Sep 12 00:42:09
Mon Sep 12 03:26:51
Mon Sep 12 03:26:51
Mon Sep 12 03:27:51
Mon Sep 12 03:27:51
Mon Sep 12 03:28:51
Mon Sep 12 03:28:51
Mon Sep 12 03:29:51
Mon Sep 12 03:29:51
Mon Sep 12 03:30:51
Mon Sep 12 03:30:51
Tue Sep 13 05:55:38
Tue Sep 13 05:55:38
Tue Sep 13 05:56:39
Tue Sep 13 05:56:39
Tue Sep 13 05:57:39
Tue Sep 13 05:57:39
Tue Sep 13 05:58:39
Tue Sep 13 05:58:39
Tue Sep 13 05:59:39
Tue Sep 13 05:59:39
Wed Sep 14 12:32:19
Wed Sep 14 12:32:19
Wed Sep 14 12:33:19
Wed Sep 14 12:33:19
Wed Sep 14 12:34:19
Wed Sep 14 12:34:19
Wed Sep 14 12:35:20
Wed Sep 14 12:35:20
Wed Sep 14 12:36:20
Wed Sep 14 12:36:20


radiusdev2
[global]
	workgroup = ROOT
	realm = SCU.AD
	security = ADS
	client schannel = Yes
	server schannel = Yes
	password server = 10.30.4.20, 10.30.4.21, *
	client signing = required
	server signing = required

[homes]
	comment = Home Directories
	read only = No
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No

krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SCU.AD
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 SCU.AD = {
  kdc = lp-server2-wv.scu.ad
  admin_server = lp-server2-wv.scu.ad
  default_domain = scu.ad
 }

[domain_realm]
 .kerberos.server = SCU.AD
 .scu.ad = SCU.AD

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
Log of the failed NTLM auth
Mon Sep 12 05:03:38
Mon Sep 12 05:03:39
Mon Sep 12 05:04:39
Mon Sep 12 05:04:39
Mon Sep 12 05:05:39
Mon Sep 12 05:05:39
Mon Sep 12 05:06:39
Mon Sep 12 05:06:39
Mon Sep 12 05:07:39
Mon Sep 12 05:07:39
Mon Sep 12 19:35:32
Mon Sep 12 19:35:32
Mon Sep 12 19:36:32
Mon Sep 12 19:36:32
Mon Sep 12 19:37:32
Mon Sep 12 19:37:32
Mon Sep 12 19:38:32
Mon Sep 12 19:38:32
Mon Sep 12 19:39:32
Mon Sep 12 19:39:32
Mon Sep 12 20:22:42
Mon Sep 12 20:22:42
Mon Sep 12 20:23:42
Mon Sep 12 20:23:43
Mon Sep 12 20:24:43
Mon Sep 12 20:24:43
Mon Sep 12 20:25:43
Mon Sep 12 20:25:43
Mon Sep 12 20:26:43
Mon Sep 12 20:26:43
Mon Sep 12 20:27:43
Mon Sep 12 20:27:43
Mon Sep 12 20:28:43
Mon Sep 12 20:28:43
Mon Sep 12 20:29:43
Mon Sep 12 20:29:43
Mon Sep 12 20:30:43
Mon Sep 12 20:30:43
Mon Sep 12 20:31:43
Mon Sep 12 20:31:43
Tue Sep 13 11:52:40
Tue Sep 13 11:52:40
Tue Sep 13 11:53:40
Tue Sep 13 11:53:40
Tue Sep 13 11:54:40
Tue Sep 13 11:54:40
Tue Sep 13 11:55:40
Tue Sep 13 11:55:40
Tue Sep 13 11:56:40
Tue Sep 13 11:56:40
Tue Sep 13 14:36:01
Tue Sep 13 14:36:01
Tue Sep 13 14:37:01
Tue Sep 13 14:37:01
Tue Sep 13 14:38:01
Tue Sep 13 14:38:01
Tue Sep 13 14:39:01
Tue Sep 13 14:39:01
Tue Sep 13 14:40:01
Tue Sep 13 14:40:02
Wed Sep 14 04:51:52
Wed Sep 14 04:51:52
Wed Sep 14 04:52:52
Wed Sep 14 04:52:52
Wed Sep 14 04:53:53
Wed Sep 14 04:53:53
Wed Sep 14 04:54:53
Wed Sep 14 04:54:53
Wed Sep 14 04:55:53
Wed Sep 14 04:55:53
Wed Sep 14 04:56:53
Wed Sep 14 04:56:53
Wed Sep 14 04:57:53
Wed Sep 14 04:57:53
Wed Sep 14 04:58:53
Wed Sep 14 04:58:53
Wed Sep 14 04:59:53
Wed Sep 14 04:59:53
Wed Sep 14 05:00:53
Wed Sep 14 05:00:53

-- 


Paul

More information about the samba mailing list