Degradation of service when authentication fails with Windows AD
p.mayers at imperial.ac.uk
Mon Feb 11 13:32:52 CET 2013
On 11/02/13 11:23, Antonio Alberola wrote:
> When we monitored the network and one of the Windows AD we could confirm
> that requests from Radius don't reach the AD, because they don't leave
> Radius. We believe that connectivity between Radius and AD is correct, they
> are on the same LAN and the AD continues to validate correctly even when
> Radius is failing.
Let me put this as simply as possible, but I'm getting tired of
Do not use PAM. PAM APIs are blocking. If PAM or an underlying module
hangs, the thread in FreeRADIUS will hang. If you keep receiving
authentication requests, eventually the entire thread pool will be blocked.
Do not use PAM.
Is this clear?
> From my point of view, for any reason, Radius receives requests that it can
> not manage, because of the AD, the network or whatever. These requests keep
> waiting and the buffer fills completly. I don't know why these requests are
> not removed from the queue and the buffer is cleared in order to allow new
> request. In this way we could avoid that request to the rest of the AD fail
> because of a particular AD.
Because FreeRADIUS doesn't work that way. It uses a thread pool (of
finite size) to process requests in a blocking fashion. If the API or
intermediate system it calls blocks forever, FreeRADIUS blocks forever,
and if you keep receiving requests, eventually your entire thread pool
will be exhausted.
FreeRADIUS cannot timeout synchronous C API calls. This is impossible to
do safely in POSIX.
Is this clear?
Only a few FreeRADIUS modules can "timeout" requests. The "exec" module
(and functionality built on top of it) is one of them.
Therefore, you should be using "exec" wrapping "ntlm_auth" from Samba.
Unfortunately, the "exec" timeout is hard-coded in the source at 10
seconds. Therefore, depending on your load, you might still suffer
thread pool exhaustion. But it will self-correct, because the requests
will eventually time out.
I hope I had made myself clear.
More information about the Freeradius-Users