On 11/02/13 11:23, Antonio Alberola wrote:
When we monitored the network and one of the Windows AD we could confirm
that requests from Radius don't reach the AD, because they don't leave
Radius. We believe that connectivity between Radius and AD is correct, they
are on the same LAN and the AD continues to validate correctly even when
Radius is failing.
Let me put this as simply as possible, but I'm getting tired of
repeating myself:
Do not use PAM. PAM APIs are blocking. If PAM or an underlying module
hangs, the thread in FreeRADIUS will hang. If you keep receiving
authentication requests, eventually the entire thread pool will be blocked.
Do not use PAM.
Is this clear?
From my point of view, for any reason, Radius receives requests that it can
not manage, because of the AD, the network or whatever. These requests keep
waiting and the buffer fills completly. I don't know why these requests are
not removed from the queue and the buffer is cleared in order to allow new
request. In this way we could avoid that request to the rest of the AD fail
because of a particular AD.
Because FreeRADIUS doesn't work that way. It uses a thread pool (of
finite size) to process requests in a blocking fashion. If the API or
intermediate system it calls blocks forever, FreeRADIUS blocks forever,
and if you keep receiving requests, eventually your entire thread pool
will be exhausted.
FreeRADIUS cannot timeout synchronous C API calls. This is impossible to
do safely in POSIX.
Is this clear?
Only a few FreeRADIUS modules can "timeout" requests. The "exec" module
(and functionality built on top of it) is one of them.
Therefore, you should be using "exec" wrapping "ntlm_auth" from Samba.
Unfortunately, the "exec" timeout is hard-coded in the source at 10
seconds. Therefore, depending on your load, you might still suffer
thread pool exhaustion. But it will self-correct, because the requests
will eventually time out.
I hope I had made myself clear.
Regards,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
