Alan DeKok <aland@deployingradius.com> hat am 31. August 2010 um 13:18 geschrieben:

> Jan Zacharias wrote:
> > Call me dump, but I have no idea what to look for.
>
>   Neither do I.  It's your system...
>
> > One idea: is ntlm_auth referred to as child? Maybe I sould
> > write a wrapper and see how long execution of this "helper program"
> > takes,
>
>   Possibly, yes.

│ ├─┬◆ 65437 root sshd: root@pts/4 (sshd)
│ │ └─┬◆ 65440 root -bash (bash)
│ │   └─┬◆ 76322 freeradius radiusd -s -X -xx -f
│ │     └─┬─ 76421 freeradius /bin/sh /usr/local/bin/ntlm_auth_wrapper --request-nt-key --domain=DFKI --username=jan --challenge=xxx --nt-response=xxx

 

So, yes :)

 

The wrapper logged PID and time (real,sys,user) of ntlm_auth

To speed up the debugging, I introduced a sleep of varying duration in the ntlm_auth_wrapper.

I found that freeradius kills the ntlm stuff if it takes longer than ten seconds to complete.

 

My suggestion is that we introduce a configuration variable ntlm_auth_retries so that freerad kills the process,

but then tries again until the retry-count is reached. This would greatly improve reliability in stress/high load/failover

scenarios :)

 

What do you think, Alan? Anyone else?

 


Best, Jan

 

> >   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html