Active Directory group check via winbind + rlm_unix, not LDAP

matsimon.lists at matsimon.lists at
Mon Sep 1 14:02:52 CEST 2014


Am 01.09.2014 13:42, schrieb A.L.M.Buxey at

>> am not sure about this) provides redundancy because the group 
>> membership
>> comes from the domain controller, which is found using DNS lookups --
>> if a controller goes down then another (hopefully) takes its place and
>> winbindd will be able to find it with no configuration changes.
> no. it rarely falls over nicely to the next server. winbindd is rubbish
> (i know, we use it)

Which I unfortunately have to confirm, it doesn't fail over neither 
quickly nor
that nicely, it may take its time to fail over which might take enough 
time for
the user to get a authentication error...

Usually a LDAP lookup for the group membership is very quick and can be 
(even though AD's LDAP isn't one of the fastest LDAP servers)

-- Mathieu

More information about the Freeradius-Users mailing list