Multi-domain AD and Users Who Aren't So Bright
Phil Mayers
p.mayers at imperial.ac.uk
Thu Feb 2 15:09:30 CET 2012
On 02/02/2012 12:35 PM, McNutt, Justin M. wrote:
>
> We just finished a many-year span trying to get users to understand
> and use DOM\user. They don't get it, at least not consistently. A
Not unreasonably. It's a failure of the IT Industry to solve
credentials. Most attention gets paid to passwords, but usernames matter
too - the vast majority of users have difficulty distinguishing between
username and email address, and they're not interchangeable (because the
string is mixed into the challenge/response algorithms).
> ridiculously large number of phone calls to our Help Desk demonstrate
> this, not to mention the "Login incorrect" messages from FR. (I
> built all of my "fix it" stanzas based on actual failed login
> attempts by users.)
The other "option" is a single-domain environment. I've no idea of the
size of your site, but we do this. It removes a lot of hassle.
Obviously, that's probably not a sensible option for you; the disruption
of a move would be enormous!
>
> In practice, the "wbinfo" method caused... problems. We aren't
> exactly sure what it broke, but the test FR server would stop
> authenticating altogether. When winbind was restarted, it would
> complain "Cannot find KDC for this domain," which usually means it
> needs to be removed and re-joined to AD. But even that didn't
> *quite* fix it. After re-joining and waiting a few minutes, the
> problem would go away. (Likely, there's some AD policy that was
> violated that temporarily locked the "resource" account that Samba
> and/or FR use for authenticating *themselves* to AD that had to
> expire.)
Yeah, we've seen similar things. It's a real shame the user/group
database stuff in winbind isn't reliable.
We've also seen winbind drop out of the domain for no readily apparent
reason.
Winbind is also REALLY bad at detecting domain controller failure; it
keeps the TCP connection to the chosen DC open, and can take 30 seconds
or more to detect failures, and only *then* performs DC re-discovery.
Sigh...
Unfortunately, I don't have the time to chase the underlying problems
and report them to the Samba guys.
More information about the Freeradius-Users
mailing list