Kerberos - Radius does not get password
Phil Mayers
p.mayers at imperial.ac.uk
Sat Dec 29 13:32:23 CET 2012
On 12/28/2012 10:41 PM, Alan Buxey wrote:
> Hmm, having run FR with AD authentication using winbindd and samba for
> many many years I am interested in what problems with those daemons you
> were having ... why need the frequent restarts etc. eduroam certainly
> wouldn't have had the high take-up we've seen in eg Europe if all sites
> had to reengineer their backend authentication and couldn't use
> PEAP/MSCHAPv2
In fairness, we've seen the occasional problem, though very rarely, that
has required a restart of winbind.
I have the impression that winbind is extremely (and I do mean
extremely) sensitive to certain aspects of an AD configuration, such as
your domain "level", version of domain controllers, group policy
mandating SMB sign/seal, and so forth. So there are a lot of variables
in there. Maybe academic sites trend towards a config that's more forgiving?
Winbind also only ever talks to one domain controller at a time, and
takes an age to failover (90+ seconds) if that DC goes away. On a couple
of occasions, the problems we've had have followed a DC being taken out
of service, and have necessitated a restart of both smbd and winbindd -
winbind just seems to hang. But on other occasions, it hasn't been a
problem - weird.
I also suspect it's *highly* dependent on the Samba version. Many people
just run the packaged OS version, and these are often older 3.x releases
that don't play well with their combination of features.
Just to repeat: the problems we've had are rare. But software is usually
fairly deterministic and I guess if other people experience the triggers
more often, they'll have the problems more often.
If I had the time, I'd engage in some serious resilience testing of a
samba/winbind config as used for MSCHAP and try and identify the cause
(and open some bugs) and any mitigations. But I don't :o(
Unfortunately, if you run AD and have significant numbers of Windows
clients, you don't really have any choice but to use MSCHAP, and thus
samba/winbind, IMO.
More information about the Freeradius-Users
mailing list