Degradation of service when authentication fails with Windows AD

Phil Mayers p.mayers at
Thu Feb 7 12:58:43 CET 2013

On 07/02/13 09:51, Antonio Alberola wrote:
>> The PAM APIs are synchronous, and don't offer timeout options.
>> It's not possible to timeout a PAM call; FreeRADIUS is entirely
>> at the mercy of PAM.
>> Don't use PAM, it's not suitable for your needs. Use "ntlm_auth",
>> and FreeRADIUS can timeout the call.
> We migrated to PAM when the problems started. Previously we used "ntlm_auth"
> and the problem appeared more frequently. I also recommended using
> PAM-Kerberos because they said it was better integrated with Windows.
> Is "ntlm_auth" the best way to authenticate with Windows AD? We have several
> domains to authenticate and need stability in case one of them does not
> respond.

The problem is, you're being way too vague and imprecise.

If you can describe the problem you're having, in correct terminology, 
people might be able to make a suggestion. Be specific, about the 
issues, the architecture you have, what you're trying to achieve, and so on.

 From what you've described so far, it sounds like you are losing 
connectivity to one or more AD controllers, which is causing PAM to hang 
(waiting for a Kerberos reply) or Samba/ntlm_auth to hang (waiting for 
an RPC reply).

It should be obvious what the solution is - reliable connectivity to a 
reliable AD controller.

More information about the Freeradius-Users mailing list