redundant-load-balance for AD ntlmauth
Hello I use redundant-load-balance for ldap user auth to authenticate users to a pool of active directory servers for one service. That seems to work well. I'm trying to think why I don't do that for ntlmauth (used inside mschap inner-tunnel) for another other service. I've knocked that up to test it with mschap modules like (with N being 1,2,3,4,5) mschap mschapadN { with_ntdomain_hack = yes ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --configfile=/etc/samba/smb-adN.conf" } where /etc/samba/smb-adN.conf is the same as the others except for "password server = adN.domain" and then in the inner-tunnel site I have authenticate { Auth-Type MS-CHAP { redundant-load-balance { mschapad1 mschapad2 .. mschapadN } } } Is this along the lines that others follow? if not how does ntlmauth handle the AD server being down. Does ntlmauth/winbind handle AD being down so freeradius does not have to? Thanks, Neil
FreeRadius List wrote:
I use redundant-load-balance for ldap user auth to authenticate users to a pool of active directory servers for one service. That seems to work well.
Because the LDAP module maintains a long-lived connection to the LDAP server.
I'm trying to think why I don't do that for ntlmauth (used inside mschap inner-tunnel) for another other service.
It won't work for ntlm_auth. That re-connects to Samba every time. Samba is responsible for maintaining long-lived connections to AD. If ntlm_auth fails, it's because (a) Samba is down, or (b) the AD server is down.
I've knocked that up to test it with mschap modules like (with N being 1,2,3,4,5)
mschap mschapadN { with_ntdomain_hack = yes ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --configfile=/etc/samba/smb-adN.conf" }
where /etc/samba/smb-adN.conf is the same as the others except for "password server = adN.domain"
I'm not sure that will work. You'll have to check with the Samba people.
Is this along the lines that others follow?
No. I've never seen this before.
if not how does ntlmauth handle the AD server being down. Does ntlmauth/winbind handle AD being down so freeradius does not have to?
Samba handles it. Alan DeKok.
Thank you I'll check with the samba people and get a better understanding of how ntlm_auth works. On 29 Apr 2013 13:58, "Alan DeKok" <aland@deployingradius.com> wrote:
FreeRadius List wrote:
I use redundant-load-balance for ldap user auth to authenticate users to a pool of active directory servers for one service. That seems to work well.
Because the LDAP module maintains a long-lived connection to the LDAP server.
I'm trying to think why I don't do that for ntlmauth (used inside mschap inner-tunnel) for another other service.
It won't work for ntlm_auth. That re-connects to Samba every time.
Samba is responsible for maintaining long-lived connections to AD. If ntlm_auth fails, it's because (a) Samba is down, or (b) the AD server is down.
I've knocked that up to test it with mschap modules like (with N being 1,2,3,4,5)
mschap mschapadN { with_ntdomain_hack = yes ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --configfile=/etc/samba/smb-adN.conf" }
where /etc/samba/smb-adN.conf is the same as the others except for "password server = adN.domain"
I'm not sure that will work. You'll have to check with the Samba people.
Is this along the lines that others follow?
No. I've never seen this before.
if not how does ntlmauth handle the AD server being down. Does ntlmauth/winbind handle AD being down so freeradius does not have to?
Samba handles it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 04/29/2013 11:03 PM, FreeRadius List wrote:
Thank you I'll check with the samba people and get a better understanding of how ntlm_auth works.#
(Sorry for the late reply) The short version here is: badly. ntlm_auth talks to winbind. Winbind maintains a single long-lived connection to a single AD controller. It can take anything up to 60 seconds for winbind to realise this connection has gone down, during which time all ntlm_auth will hang or fail. This has caused us problems on a number of occasions. So in fact, your approach is interesting to me; have you tested it e.g. by using iptables/ipfw to block access to an AD controller and seeing if it fails over?
On 5/6/2013 9:24 AM, Phil Mayers wrote:
On 04/29/2013 11:03 PM, FreeRadius List wrote:
Thank you I'll check with the samba people and get a better understanding of how ntlm_auth works.#
(Sorry for the late reply)
The short version here is: badly.
ntlm_auth talks to winbind. Winbind maintains a single long-lived connection to a single AD controller.
It can take anything up to 60 seconds for winbind to realise this connection has gone down, during which time all ntlm_auth will hang or fail. This has caused us problems on a number of occasions.
So in fact, your approach is interesting to me; have you tested it e.g. by using iptables/ipfw to block access to an AD controller and seeing if it fails over? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I wrote a script that does an eapol_test every minute. If it fails, it immediately tries twice more. If THAT fails, then I restart winbind, restart radius, and things continue on their happy way. Imperfect, yes. But for us it works well enough for us. You'll have to tweak out the parts that aren't included but it should be a quick and dirty hack up if you want to use something similar. #!/usr/local/bin/php <? require_once("Syslog.class"); require_once("LAWN_Config.class"); require_once('SNACKS_Notify.php'); $log = new Syslog("checkWpaRadius"); $config = new LAWN_Config(); $pid_file = "/var/run/radiusd.pid"; $pid = @file_get_contents($pid_file); function radiusRespondingToEap() { $config = new LAWN_Config(); // Radius is running, but now we need to determine if it is responding to queries $c = $config->eapol; $eapTestCmd = "{$c->bin} -c {$c->config} -a {$c->server} -p {$c->port} -s {$c->secret} -t {$c->timeout}"; $output = `$eapTestCmd`; $stuff = explode("\n",trim($output)); $result = array_pop($stuff); if($result == "SUCCESS") return TRUE; else return FALSE; exit(); } if (($pid !== FALSE) && posix_kill(trim($pid),0)) { $i = 0; while(1) { $i++; if(radiusRespondingToEap()) { $message = "Radius is responding to EAP requests."; $log->log($message,"INFO"); break; } else { $message = "Radius is not responding to EAP requests! Attempt: $i"; $log->log($message,"ERR"); if($i >= $config->eapol->retries) { $message = "Reached maximum number of retries ({$config->eapol->retries}). Attempting to restart radius!"; $log->log($message,"CRIT"); print("$message\n"); SNACKS_Notify::sendErrorMail("LAWN: WPA Radius not responding", $message."\n\n"); `/etc/init.d/winbind stop`; `/etc/init.d/radiusd stop`; sleep(3); `/etc/init.d/winbind start`; sleep(1); `/etc/init.d/radiusd start`; break; } else { sleep(5); } } } } else { $log->log("Radius is NOT running. Restarting!","CRIT"); SNACKS_Notify::sendErrorMail("LAWN: WPA Radius not running", 'Restarting radius!'); `/etc/init.d/radiusd restart`; }
On 06/05/2013 14:40, John Douglass wrote:
ntlm_auth talks to winbind. Winbind maintains a single long-lived connection to a single AD controller.
It can take anything up to 60 seconds for winbind to realise this connection has gone down, during which time all ntlm_auth will hang or fail. This has caused us problems on a number of occasions.
So in fact, your approach is interesting to me; have you tested it e.g. by using iptables/ipfw to block access to an AD controller and seeing if it fails over? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I wrote a script that does an eapol_test every minute. If it fails, it immediately tries twice more. If THAT fails, then I restart winbind, restart radius, and things continue on their happy way.
That'll work too, although I wonder why you're not just calling ntlm_auth?
I don't just call ntlm_auth Because I want to simulate the entire EAP request (as if it is another of my wireless controllers) and get regular logs from radius that the server is responding. If some (although it hasn't happened!) piece of my radius stack has a problem (say, the mysql connections break for some reason) I want a full restart of the service. Just testing authentication doesn't give me a full radius stack picture. - John Douglass Georgia Institute of Technology Sr. Systems Architect On 05/06/2013 12:25 PM, Phil Mayers wrote:
On 06/05/2013 14:40, John Douglass wrote:
ntlm_auth talks to winbind. Winbind maintains a single long-lived connection to a single AD controller.
It can take anything up to 60 seconds for winbind to realise this connection has gone down, during which time all ntlm_auth will hang or fail. This has caused us problems on a number of occasions.
So in fact, your approach is interesting to me; have you tested it e.g. by using iptables/ipfw to block access to an AD controller and seeing if it fails over? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I wrote a script that does an eapol_test every minute. If it fails, it immediately tries twice more. If THAT fails, then I restart winbind, restart radius, and things continue on their happy way.
That'll work too, although I wonder why you're not just calling ntlm_auth? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 06/05/13 17:51, John Douglass wrote:
I don't just call ntlm_auth Because I want to simulate the entire EAP request (as if it is another of my wireless controllers) and get regular logs from radius that the server is responding. If some (although it hasn't happened!) piece of my radius stack has a problem (say, the mysql connections break for some reason) I want a full restart of the service. Just testing authentication doesn't give me a full radius stack picture.
Ah gotcha, I missed that you were also restarting radius. I thought we were talking solely about Samba failure.
participants (4)
-
Alan DeKok -
FreeRadius List -
John Douglass -
Phil Mayers