Re: Degradation of service when authentication fails with Windows AD
The PAM APIs are synchronous, and don't offer timeout options. It's not possible to timeout a PAM call; FreeRADIUS is entirely at the mercy of PAM.
Don't use PAM, it's not suitable for your needs. Use "ntlm_auth", and FreeRADIUS can timeout the call.
We migrated to PAM when the problems started. Previously we used "ntlm_auth" and the problem appeared more frequently. I also recommended using PAM-Kerberos because they said it was better integrated with Windows. Is "ntlm_auth" the best way to authenticate with Windows AD? We have several domains to authenticate and need stability in case one of them does not respond.
On 07/02/13 09:51, Antonio Alberola wrote:
The PAM APIs are synchronous, and don't offer timeout options. It's not possible to timeout a PAM call; FreeRADIUS is entirely at the mercy of PAM.
Don't use PAM, it's not suitable for your needs. Use "ntlm_auth", and FreeRADIUS can timeout the call.
We migrated to PAM when the problems started. Previously we used "ntlm_auth" and the problem appeared more frequently. I also recommended using PAM-Kerberos because they said it was better integrated with Windows. Is "ntlm_auth" the best way to authenticate with Windows AD? We have several domains to authenticate and need stability in case one of them does not respond.
The problem is, you're being way too vague and imprecise. If you can describe the problem you're having, in correct terminology, people might be able to make a suggestion. Be specific, about the issues, the architecture you have, what you're trying to achieve, and so on. From what you've described so far, it sounds like you are losing connectivity to one or more AD controllers, which is causing PAM to hang (waiting for a Kerberos reply) or Samba/ntlm_auth to hang (waiting for an RPC reply). It should be obvious what the solution is - reliable connectivity to a reliable AD controller.
participants (2)
-
Antonio Alberola -
Phil Mayers