redundant-load-balance for AD ntlmauth
Phil Mayers
p.mayers at imperial.ac.uk
Mon May 6 15:24:58 CEST 2013
On 04/29/2013 11:03 PM, FreeRadius List wrote:
> Thank you I'll check with the samba people and get a better
> understanding of how ntlm_auth works.#
(Sorry for the late reply)
The short version here is: badly.
ntlm_auth talks to winbind. Winbind maintains a single long-lived
connection to a single AD controller.
It can take anything up to 60 seconds for winbind to realise this
connection has gone down, during which time all ntlm_auth will hang or
fail. This has caused us problems on a number of occasions.
So in fact, your approach is interesting to me; have you tested it e.g.
by using iptables/ipfw to block access to an AD controller and seeing if
it fails over?
More information about the Freeradius-Users
mailing list