Multi-domain AD and Users Who Aren't So Bright

Fri Feb 10 15:45:40 CET 2012

From: Phil Mayers <p.mayers at imperial.ac.uk<mailto:p.mayers at imperial.ac.uk>>
Reply-To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>>
Date: Thu, 2 Feb 2012 14:09:30 +0000
To: <freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>>
Subject: Re: Multi-domain AD and Users Who Aren't So Bright

On 02/02/2012 12:35 PM, McNutt, Justin M. wrote:
ridiculously large number of phone calls to our Help Desk demonstrate
this, not to mention the "Login incorrect" messages from FR.  (I
built all of my "fix it" stanzas based on actual failed login
attempts by users.)

The other "option" is a single-domain environment. I've no idea of the
size of your site, but we do this. It removes a lot of hassle.

Obviously, that's probably not a sensible option for you; the disruption
of a move would be enormous!

We looked at this.  A lot.  For these specific reasons.  The main problems are political.  TECHNICALLY, we could just build a new domain in the existing forest and put everything NEW into that domain, then allow all of the other domains (except two) fade out through attrition.  The two exceptions would be the forest root (which contains no user or computer accounts), and a special domain that contains only retired user accounts (long story) and thus, not my problem.

But we won't do that, because this is a multi-campus university with lots of autonomy issues and wrangling for independence.  So we'll have to "fight the good fight" and make any software we use work in a multi-domain environment as AD was intended to work, regardless of any other practical issues.  ;)

We've also seen winbind drop out of the domain for no readily apparent
reason.

Winbind is also REALLY bad at detecting domain controller failure; it
keeps the TCP connection to the chosen DC open, and can take 30 seconds
or more to detect failures, and only *then* performs DC re-discovery.
Sigh...

Unfortunately, I don't have the time to chase the underlying problems
and report them to the Samba guys.

Same here on all counts, though we don't have machines dropping out very often.  But these kinds of things are why we have some complicated load balancing and redundancy in front of the RADIUS servers.  It's not a failure of FreeRADIUS, but rather the imperfect world that FR lives in.  Plus, in addition to reading through these replies and refining my multi-domain user-ID-fixing implementation, my current FR effort is to make the config more robust and tolerant of server failures.  The ldap module is currently configured in a way that depends entirely upon a single domain controller.  That's bad.  I KNOW there's a way to config FR better than this.  I just have to go read more stuff in /usr/share/docs/freeradius.

--J