Intermittent failures of mod_krb5
Isaac Boukris
iboukris at gmail.com
Fri Feb 23 16:12:02 CET 2018
On Fri, Feb 23, 2018 at 2:43 PM, Brian Candler <b.candler at pobox.com> wrote:
> Hello,
>
> I have been setting up freeradius-3.0.15 (from PPA) under Ubuntu 16.04, and
> using mod_krb5 to authenticate against Samba4. There are four freeradius
> servers, each with a Samba replica behind it.
>
> Once every few days, I get alerts from nagios saying one or more RADIUS
> servers has stopped working for a few minutes, and then they recover. There
> are two nagios servers making RADIUS checks across all four RADIUS servers,
> and both nagios servers see the problem simultaneously.
>
> I now have authentication logging turn on, and at the time of the last event
> I see:
>
> ... all OK
> Thu Feb 22 17:21:51 2018 : Auth: (273) Login OK: [nagiostest] (from client
> ix_nagios port 0)
> Thu Feb 22 17:22:38 2018 : Auth: (274) Login OK: [nagiostest] (from client
> wrn_mon2 port 0)
> Thu Feb 22 17:23:00 2018 : Error: Unresponsive child for request 275, in
> component authenticate module krb5
> Thu Feb 22 17:23:10 2018 : WARNING: (275) WARNING: Module rlm_krb5 became
> unblocked
In addition to radiusd debugs you can export KRB5_TRACE environment
variable and have the library print traces into a log file.
Also try to avoid dns (and rdns) lookups in krb5.conf, may help.
More information about the Freeradius-Users
mailing list