On 5/6/2013 9:24 AM, Phil Mayers wrote:
On 04/29/2013 11:03 PM, FreeRadius List wrote:
Thank you I'll check with the samba people and get a better
understanding of how ntlm_auth works.#
(Sorry for the late reply)
The short version here is: badly.
ntlm_auth talks to winbind. Winbind maintains a single long-lived
connection to a single AD controller.
It can take anything up to 60 seconds for winbind to realise this
connection has gone down, during which time all ntlm_auth will hang or
fail. This has caused us problems on a number of occasions.
So in fact, your approach is interesting to me; have you tested it
e.g. by using iptables/ipfw to block access to an AD controller and
seeing if it fails over?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
I wrote a script that does an eapol_test every minute. If it fails, it
immediately tries twice more. If THAT fails, then I restart winbind,
restart radius, and things continue on their happy way.
Imperfect, yes. But for us it works well enough for us. You'll have to
tweak out the parts that aren't included but it should be a quick and
dirty hack up if you want to use something similar.
#!/usr/local/bin/php
<?
require_once("Syslog.class");
require_once("LAWN_Config.class");
require_once('SNACKS_Notify.php');
$log = new Syslog("checkWpaRadius");
$config = new LAWN_Config();
$pid_file = "/var/run/radiusd.pid";
$pid = @file_get_contents($pid_file);
function radiusRespondingToEap()
{
$config = new LAWN_Config();
// Radius is running, but now we need to determine if it is
responding to queries
$c = $config->eapol;
$eapTestCmd = "{$c->bin} -c {$c->config} -a {$c->server} -p
{$c->port} -s {$c->secret} -t {$c->timeout}";
$output = `$eapTestCmd`;
$stuff = explode("\n",trim($output));
$result = array_pop($stuff);
if($result == "SUCCESS")
return TRUE;
else
return FALSE;
exit();
}
if (($pid !== FALSE) && posix_kill(trim($pid),0))
{
$i = 0;
while(1)
{
$i++;
if(radiusRespondingToEap())
{
$message = "Radius is responding to EAP requests.";
$log->log($message,"INFO");
break;
}
else
{
$message = "Radius is not responding to EAP requests! Attempt:
$i";
$log->log($message,"ERR");
if($i >= $config->eapol->retries)
{
$message = "Reached maximum number of retries
({$config->eapol->retries}). Attempting to restart radius!";
$log->log($message,"CRIT");
print("$message\n");
SNACKS_Notify::sendErrorMail("LAWN: WPA Radius not
responding", $message."\n\n");
`/etc/init.d/winbind stop`;
`/etc/init.d/radiusd stop`;
sleep(3);
`/etc/init.d/winbind start`;
sleep(1);
`/etc/init.d/radiusd start`;
break;
}
else
{
sleep(5);
}
}
}
}
else
{
$log->log("Radius is NOT running. Restarting!","CRIT");
SNACKS_Notify::sendErrorMail("LAWN: WPA Radius not running",
'Restarting radius!');
`/etc/init.d/radiusd restart`;
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
