Failed (re-)authentification after some time...

Jan Zacharias janz at
Wed Sep 1 14:51:49 CEST 2010


Alan DeKok <aland at> hat am 31. August 2010 um 13:18

> Jan Zacharias wrote:
> > Call me dump, but I have no idea what to look for.
>   Neither do I.  It's your system...
> > One idea: is ntlm_auth referred to as child? Maybe I sould
> > write a wrapper and see how long execution of this "helper program"
> > takes,
>   Possibly, yes.
│ ├─┬◆ 65437 root sshd: root at pts/4 (sshd)
│ │ └─┬◆ 65440 root -bash (bash)
│ │   └─┬◆ 76322 freeradius radiusd -s -X -xx -f
│ │     └─┬─ 76421 freeradius /bin/sh /usr/local/bin/ntlm_auth_wrapper
--request-nt-key --domain=DFKI --username=jan --challenge=xxx --nt-response=xxx


So, yes :)


The wrapper logged PID and time (real,sys,user) of ntlm_auth

To speed up the debugging, I introduced a sleep of varying duration in the

I found that freeradius kills the ntlm stuff if it takes longer than ten seconds
to complete.


My suggestion is that we introduce a configuration variable ntlm_auth_retries so
that freerad kills the process,

but then tries again until the retry-count is reached. This would greatly
improve reliability in stress/high load/failover

scenarios :)


What do you think, Alan? Anyone else?


Best, Jan


> >   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list