Kerberos - Radius does not get password
Khapare Joshi
khapare77 at gmail.com
Mon Jan 7 17:49:14 CET 2013
Hello
I been having problem as listed in this bug list:
https://bugzilla.samba.org/show_bug.cgi?id=6563#c59
I know at least few university having similar issue and ended up with
restarting winbind - that resolve the issue. I am not sure which version of
samba+winbind are you using?
Also, I am just thinking, is there a way to configure both kerberos (which
works TTLS with PAP) and EAP-PEAP with MSCHAPv2 ? if it is possible I can
support both TTLS via kerberos and PEAP - MCHAP with Active directory
(winbind and samba). This way I can continue support older $$$client xp,
win7 and for rest those are supported I can enforce to use TTLS-PAP with
kerberos. It would be great if you direct me in right road.
However, in my environment there is currently only one domain controller -
i am not sure about that 90+ seconds failover thing. but I do realize that
there is somwhere timeout in winbind - it disconnect from the AD which I
believe is the problem. Perhaps when it disconnects from AD - it needs that
90seconds to reconnect and in the same-time radius gets a lot of request -
probably windbind hands or etc or it is waiting waiting to reconnect.
K
On Sat, Dec 29, 2012 at 12:32 PM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:
> On 12/28/2012 10:41 PM, Alan Buxey wrote:
>
>> Hmm, having run FR with AD authentication using winbindd and samba for
>> many many years I am interested in what problems with those daemons you
>> were having ... why need the frequent restarts etc. eduroam certainly
>> wouldn't have had the high take-up we've seen in eg Europe if all sites
>> had to reengineer their backend authentication and couldn't use
>> PEAP/MSCHAPv2
>>
>
> In fairness, we've seen the occasional problem, though very rarely, that
> has required a restart of winbind.
>
> I have the impression that winbind is extremely (and I do mean extremely)
> sensitive to certain aspects of an AD configuration, such as your domain
> "level", version of domain controllers, group policy mandating SMB
> sign/seal, and so forth. So there are a lot of variables in there. Maybe
> academic sites trend towards a config that's more forgiving?
>
> Winbind also only ever talks to one domain controller at a time, and takes
> an age to failover (90+ seconds) if that DC goes away. On a couple of
> occasions, the problems we've had have followed a DC being taken out of
> service, and have necessitated a restart of both smbd and winbindd -
> winbind just seems to hang. But on other occasions, it hasn't been a
> problem - weird.
>
> I also suspect it's *highly* dependent on the Samba version. Many people
> just run the packaged OS version, and these are often older 3.x releases
> that don't play well with their combination of features.
>
> Just to repeat: the problems we've had are rare. But software is usually
> fairly deterministic and I guess if other people experience the triggers
> more often, they'll have the problems more often.
>
> If I had the time, I'd engage in some serious resilience testing of a
> samba/winbind config as used for MSCHAP and try and identify the cause (and
> open some bugs) and any mitigations. But I don't :o(
>
> Unfortunately, if you run AD and have significant numbers of Windows
> clients, you don't really have any choice but to use MSCHAP, and thus
> samba/winbind, IMO.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130107/2aadb8df/attachment.html>
More information about the Freeradius-Users
mailing list