redundant-load-balance for AD ntlmauth

John Douglass john.douglass at oit.gatech.edu
Mon May 6 15:40:40 CEST 2013 

On 5/6/2013 9:24 AM, Phil Mayers wrote:
> On 04/29/2013 11:03 PM, FreeRadius List wrote:
>> Thank you I'll check with the samba people and get a better
>> understanding of how ntlm_auth works.#
>
> (Sorry for the late reply)
>
> The short version here is: badly.
>
> ntlm_auth talks to winbind. Winbind maintains a single long-lived 
> connection to a single AD controller.
>
> It can take anything up to 60 seconds for winbind to realise this 
> connection has gone down, during which time all ntlm_auth will hang or 
> fail. This has caused us problems on a number of occasions.
>
> So in fact, your approach is interesting to me; have you tested it 
> e.g. by using iptables/ipfw to block access to an AD controller and 
> seeing if it fails over?
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

I wrote a script that does an eapol_test every minute. If it fails, it 
immediately tries twice more. If THAT fails, then I restart winbind, 
restart radius, and things continue on their happy way.

Imperfect, yes. But for us it works well enough for us. You'll have to 
tweak out the parts that aren't included but it should be a quick and 
dirty hack up if you want to use something similar.

#!/usr/local/bin/php
<?
require_once("Syslog.class");
require_once("LAWN_Config.class");
require_once('SNACKS_Notify.php');

$log = new Syslog("checkWpaRadius");
$config = new LAWN_Config();

$pid_file = "/var/run/radiusd.pid";

$pid = @file_get_contents($pid_file);

function radiusRespondingToEap()
{
    $config = new LAWN_Config();
    // Radius is running, but now we need to determine if it is 
responding to queries
    $c = $config->eapol;
    $eapTestCmd = "{$c->bin} -c {$c->config} -a {$c->server} -p 
{$c->port} -s {$c->secret} -t {$c->timeout}";
    $output = `$eapTestCmd`;
    $stuff = explode("\n",trim($output));
    $result = array_pop($stuff);
    if($result == "SUCCESS")
       return TRUE;
    else
       return FALSE;
    exit();
}

if (($pid !== FALSE) && posix_kill(trim($pid),0))
{
    $i = 0;
    while(1)
    {
       $i++;
       if(radiusRespondingToEap())
       {
          $message = "Radius is responding to EAP requests.";
          $log->log($message,"INFO");
          break;
       }
       else
       {
          $message = "Radius is not responding to EAP requests! Attempt: 
$i";
          $log->log($message,"ERR");
          if($i >= $config->eapol->retries)
          {
             $message = "Reached maximum number of retries 
({$config->eapol->retries}). Attempting to restart radius!";
             $log->log($message,"CRIT");
             print("$message\n");

             SNACKS_Notify::sendErrorMail("LAWN: WPA Radius not 
responding", $message."\n\n");

             `/etc/init.d/winbind stop`;
             `/etc/init.d/radiusd stop`;
             sleep(3);
             `/etc/init.d/winbind start`;
             sleep(1);
             `/etc/init.d/radiusd start`;
             break;
          }
          else
          {
             sleep(5);
          }
       }
    }
}
else
{
    $log->log("Radius is NOT running. Restarting!","CRIT");
    SNACKS_Notify::sendErrorMail("LAWN: WPA Radius not running", 
'Restarting radius!');
   `/etc/init.d/radiusd restart`;
}

More information about the Freeradius-Users mailing list