redundant-load-balance for AD ntlmauth

Phil Mayers p.mayers at imperial.ac.uk
Mon May 6 15:24:58 CEST 2013


On 04/29/2013 11:03 PM, FreeRadius List wrote:
> Thank you I'll check with the samba people and get a better
> understanding of how ntlm_auth works.#

(Sorry for the late reply)

The short version here is: badly.

ntlm_auth talks to winbind. Winbind maintains a single long-lived 
connection to a single AD controller.

It can take anything up to 60 seconds for winbind to realise this 
connection has gone down, during which time all ntlm_auth will hang or 
fail. This has caused us problems on a number of occasions.

So in fact, your approach is interesting to me; have you tested it e.g. 
by using iptables/ipfw to block access to an AD controller and seeing if 
it fails over?


More information about the Freeradius-Users mailing list