redundant-load-balance for AD ntlmauth
Phil Mayers
p.mayers at imperial.ac.uk
Mon May 6 18:25:17 CEST 2013
On 06/05/2013 14:40, John Douglass wrote:
>> ntlm_auth talks to winbind. Winbind maintains a single long-lived
>> connection to a single AD controller.
>>
>> It can take anything up to 60 seconds for winbind to realise this
>> connection has gone down, during which time all ntlm_auth will hang or
>> fail. This has caused us problems on a number of occasions.
>>
>> So in fact, your approach is interesting to me; have you tested it
>> e.g. by using iptables/ipfw to block access to an AD controller and
>> seeing if it fails over?
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
> I wrote a script that does an eapol_test every minute. If it fails, it
> immediately tries twice more. If THAT fails, then I restart winbind,
> restart radius, and things continue on their happy way.
That'll work too, although I wonder why you're not just calling ntlm_auth?
More information about the Freeradius-Users
mailing list