On 06/05/2013 14:40, John Douglass wrote:
ntlm_auth talks to winbind. Winbind maintains a single long-lived connection to a single AD controller.
It can take anything up to 60 seconds for winbind to realise this connection has gone down, during which time all ntlm_auth will hang or fail. This has caused us problems on a number of occasions.
So in fact, your approach is interesting to me; have you tested it e.g. by using iptables/ipfw to block access to an AD controller and seeing if it fails over? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I wrote a script that does an eapol_test every minute. If it fails, it immediately tries twice more. If THAT fails, then I restart winbind, restart radius, and things continue on their happy way.
That'll work too, although I wonder why you're not just calling ntlm_auth?