On 12/28/2012 10:41 PM, Alan Buxey wrote:
Hmm, having run FR with AD authentication using winbindd and samba for many many years I am interested in what problems with those daemons you were having ... why need the frequent restarts etc. eduroam certainly wouldn't have had the high take-up we've seen in eg Europe if all sites had to reengineer their backend authentication and couldn't use PEAP/MSCHAPv2
In fairness, we've seen the occasional problem, though very rarely, that has required a restart of winbind.
I have the impression that winbind is extremely (and I do mean extremely) sensitive to certain aspects of an AD configuration, such as your domain "level", version of domain controllers, group policy mandating SMB sign/seal, and so forth. So there are a lot of variables in there. Maybe academic sites trend towards a config that's more forgiving?
Winbind also only ever talks to one domain controller at a time, and takes an age to failover (90+ seconds) if that DC goes away. On a couple of occasions, the problems we've had have followed a DC being taken out of service, and have necessitated a restart of both smbd and winbindd - winbind just seems to hang. But on other occasions, it hasn't been a problem - weird.
I also suspect it's *highly* dependent on the Samba version. Many people just run the packaged OS version, and these are often older 3.x releases that don't play well with their combination of features.
Just to repeat: the problems we've had are rare. But software is usually fairly deterministic and I guess if other people experience the triggers more often, they'll have the problems more often.
If I had the time, I'd engage in some serious resilience testing of a samba/winbind config as used for MSCHAP and try and identify the cause (and open some bugs) and any mitigations. But I don't :o(
Unfortunately, if you run AD and have significant numbers of Windows clients, you don't really have any choice but to use MSCHAP, and thus samba/winbind, IMO.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
