Degradation of service when authentication fails with Windows AD

Antonio Alberola aalberola at gtt.es
Mon Feb 11 12:23:41 CET 2013


> If you can describe the problem you're having, in correct terminology,
> people might be able to make a suggestion. Be specific, about the
> issues, the architecture you have, what you're trying to achieve, and so
on.
> 

Sorry, I will try to explain the problem better.

I have a mail server where users are validated with local accounts (UNIX) or
against a Windows AD. For this reason we use Radius. Sometimes the Radius
server fails and stops authentication for everybody. In that point the logs
that I sent to you appear. I need to restart Radius in order to it works
again.

> From what you've described so far, it sounds like you are losing
> connectivity to one or more AD controllers, which is causing PAM
> to hang (waiting for a Kerberos reply) or Samba/ntlm_auth to hang
> (waiting for an RPC reply).
> 
> It should be obvious what the solution is - reliable connectivity to a
reliable AD controller.

When we monitored the network and one of the Windows AD we could confirm
that requests from Radius don't reach the AD, because they don't leave
Radius. We believe that connectivity between Radius and AD is correct, they
are on the same LAN and the AD continues to validate correctly even when
Radius is failing.

>From my point of view, for any reason, Radius receives requests that it can
not manage, because of the AD, the network or whatever. These requests keep
waiting and the buffer fills completly. I don't know why these requests are
not removed from the queue and the buffer is cleared in order to allow new
request. In this way we could avoid that request to the rest of the AD fail
because of a particular AD.



More information about the Freeradius-Users mailing list