Failed (re-)authentification after some time...
Jan Zacharias
janz at dfki.de
Wed Sep 1 14:51:49 CEST 2010
Alan DeKok <aland at deployingradius.com> hat am 31. August 2010 um 13:18
geschrieben:
> Jan Zacharias wrote:
> > Call me dump, but I have no idea what to look for.
>
> Neither do I. It's your system...
>
> > One idea: is ntlm_auth referred to as child? Maybe I sould
> > write a wrapper and see how long execution of this "helper program"
> > takes,
>
> Possibly, yes.
│ ├─┬◆ 65437 root sshd: root at pts/4 (sshd)
│ │ └─┬◆ 65440 root -bash (bash)
│ │ └─┬◆ 76322 freeradius radiusd -s -X -xx -f
│ │ └─┬─ 76421 freeradius /bin/sh /usr/local/bin/ntlm_auth_wrapper
--request-nt-key --domain=DFKI --username=jan --challenge=xxx --nt-response=xxx
So, yes :)
The wrapper logged PID and time (real,sys,user) of ntlm_auth
To speed up the debugging, I introduced a sleep of varying duration in the
ntlm_auth_wrapper.
I found that freeradius kills the ntlm stuff if it takes longer than ten seconds
to complete.
My suggestion is that we introduce a configuration variable ntlm_auth_retries so
that freerad kills the process,
but then tries again until the retry-count is reached. This would greatly
improve reliability in stress/high load/failover
scenarios :)
What do you think, Alan? Anyone else?
Best, Jan
> > Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100901/c8317011/attachment.html>
More information about the Freeradius-Users
mailing list