Kerberos - Radius does not get password

Phil Mayers p.mayers at imperial.ac.uk
Sat Dec 29 13:32:23 CET 2012 

On 12/28/2012 10:41 PM, Alan Buxey wrote:
> Hmm, having run FR with AD authentication using winbindd and samba for
> many many years I am interested in what problems with those daemons you
> were having ... why need the frequent restarts etc.  eduroam certainly
> wouldn't have had the high take-up we've seen in eg Europe if all sites
> had to reengineer their backend authentication and couldn't use
> PEAP/MSCHAPv2

In fairness, we've seen the occasional problem, though very rarely, that 
has required a restart of winbind.

I have the impression that winbind is extremely (and I do mean 
extremely) sensitive to certain aspects of an AD configuration, such as 
your domain "level", version of domain controllers, group policy 
mandating SMB sign/seal, and so forth. So there are a lot of variables 
in there. Maybe academic sites trend towards a config that's more forgiving?

Winbind also only ever talks to one domain controller at a time, and 
takes an age to failover (90+ seconds) if that DC goes away. On a couple 
of occasions, the problems we've had have followed a DC being taken out 
of service, and have necessitated a restart of both smbd and winbindd - 
winbind just seems to hang. But on other occasions, it hasn't been a 
problem - weird.

I also suspect it's *highly* dependent on the Samba version. Many people 
just run the packaged OS version, and these are often older 3.x releases 
that don't play well with their combination of features.

Just to repeat: the problems we've had are rare. But software is usually 
fairly deterministic and I guess if other people experience the triggers 
more often, they'll have the problems more often.

If I had the time, I'd engage in some serious resilience testing of a 
samba/winbind config as used for MSCHAP and try and identify the cause 
(and open some bugs) and any mitigations. But I don't :o(

Unfortunately, if you run AD and have significant numbers of Windows 
clients, you don't really have any choice but to use MSCHAP, and thus 
samba/winbind, IMO.

More information about the Freeradius-Users mailing list