Hello I been having problem as listed in this bug list:
https://bugzilla.samba.org/show_bug.cgi?id=6563#c59 I know at least few university having similar issue and ended up with restarting winbind - that resolve the issue. I am not sure which version of samba+winbind are you using? Also, I am just thinking, is there a way to configure both kerberos (which works TTLS with PAP) and EAP-PEAP with MSCHAPv2 ? if it is possible I can support both TTLS via kerberos and PEAP - MCHAP with Active directory (winbind and samba). This way I can continue support older $$$client xp, win7 and for rest those are supported I can enforce to use TTLS-PAP with kerberos. It would be great if you direct me in right road. However, in my environment there is currently only one domain controller - i am not sure about that 90+ seconds failover thing. but I do realize that there is somwhere timeout in winbind - it disconnect from the AD which I believe is the problem. Perhaps when it disconnects from AD - it needs that 90seconds to reconnect and in the same-time radius gets a lot of request - probably windbind hands or etc or it is waiting waiting to reconnect. K On Sat, Dec 29, 2012 at 12:32 PM, Phil Mayers <[email protected]>wrote: > On 12/28/2012 10:41 PM, Alan Buxey wrote: > >> Hmm, having run FR with AD authentication using winbindd and samba for >> many many years I am interested in what problems with those daemons you >> were having ... why need the frequent restarts etc. eduroam certainly >> wouldn't have had the high take-up we've seen in eg Europe if all sites >> had to reengineer their backend authentication and couldn't use >> PEAP/MSCHAPv2 >> > > In fairness, we've seen the occasional problem, though very rarely, that > has required a restart of winbind. > > I have the impression that winbind is extremely (and I do mean extremely) > sensitive to certain aspects of an AD configuration, such as your domain > "level", version of domain controllers, group policy mandating SMB > sign/seal, and so forth. So there are a lot of variables in there. Maybe > academic sites trend towards a config that's more forgiving? > > Winbind also only ever talks to one domain controller at a time, and takes > an age to failover (90+ seconds) if that DC goes away. On a couple of > occasions, the problems we've had have followed a DC being taken out of > service, and have necessitated a restart of both smbd and winbindd - > winbind just seems to hang. But on other occasions, it hasn't been a > problem - weird. > > I also suspect it's *highly* dependent on the Samba version. Many people > just run the packaged OS version, and these are often older 3.x releases > that don't play well with their combination of features. > > Just to repeat: the problems we've had are rare. But software is usually > fairly deterministic and I guess if other people experience the triggers > more often, they'll have the problems more often. > > If I had the time, I'd engage in some serious resilience testing of a > samba/winbind config as used for MSCHAP and try and identify the cause (and > open some bugs) and any mitigations. But I don't :o( > > Unfortunately, if you run AD and have significant numbers of Windows > clients, you don't really have any choice but to use MSCHAP, and thus > samba/winbind, IMO. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
