I don't just call ntlm_auth Because I want to simulate the entire EAP request (as if it is another of my wireless controllers) and get regular logs from radius that the server is responding. If some (although it hasn't happened!) piece of my radius stack has a problem (say, the mysql connections break for some reason) I want a full restart of the service. Just testing authentication doesn't give me a full radius stack picture. - John Douglass Georgia Institute of Technology Sr. Systems Architect On 05/06/2013 12:25 PM, Phil Mayers wrote:
On 06/05/2013 14:40, John Douglass wrote:
ntlm_auth talks to winbind. Winbind maintains a single long-lived connection to a single AD controller.
It can take anything up to 60 seconds for winbind to realise this connection has gone down, during which time all ntlm_auth will hang or fail. This has caused us problems on a number of occasions.
So in fact, your approach is interesting to me; have you tested it e.g. by using iptables/ipfw to block access to an AD controller and seeing if it fails over? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I wrote a script that does an eapol_test every minute. If it fails, it immediately tries twice more. If THAT fails, then I restart winbind, restart radius, and things continue on their happy way.
That'll work too, although I wonder why you're not just calling ntlm_auth? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html