Instrumentation for monitoring ntlm_auths against domain controllers

[Paul Seward]

Hi all,

Apologies if this isn't directly on-topic, but there are a lot of people on
this mailing list who are familiar with what I want to achieve, and may be
able to point me in the right direction.  I'm happy to field off-list
replies if that's more appropriate.

We're running freeradius 3.0.12, samba/winbind 4.2.10 on CentOS 7.2.  We're
quite cheerfully authenticating our users against AD using
the winbind_username/winbind_domain parameters in the mschap module, which
is a reasonably common configuration and generally works well for us (and
has noticably less overhead than the traditional ntlm_auth mechanism)

Yesterday, we saw a spike in authentication latency that was big enough to
cause an impact to users on our wireless network, and we're trying to do
some root cause analysis.

We have a nagios check in place which uses ntlm_auth to do a test
authentication against the domain, and that showed a corresponding spike in
latency - which points the finger at AD in general, but doesn't give us
useful data to pass to our windows team as it's not easy to pin down which
domain controller(s) the radius servers were talking to at the time.

What I'd like to do, is put some instrumentation in place that would allow
our monitoring server to fire ntlm_auth's at a specified domain controller
(rather than whichever one winbind happens to have connected to) so that we
can monitor latency to all of them, and use the resulting graphs to
pinpoint any that are under performing.

I can't see an obvious way to make that happen, so if anyone has any
pointers we'd really appreciate it!

-Paul
-- 
----------------------------------------------------------------------
Paul Seward,    Senior Systems Administrator,    University of Bristol
Paul.Seward at bristol.ac.uk  +44 (0)117 39 41148    GPG Key ID: E24DA8A2
GPG Fingerprint:    7210 4E4A B5FC 7D9C 39F8  5C3C 6759 3937 E24D A8A2