On 07/02/13 09:51, Antonio Alberola wrote:
The PAM APIs are synchronous, and don't offer timeout options.
It's not possible to timeout a PAM call; FreeRADIUS is entirely
at the mercy of PAM.
Don't use PAM, it's not suitable for your needs. Use "ntlm_auth",
and FreeRADIUS can timeout the call.
We migrated to PAM when the problems started. Previously we used "ntlm_auth"
and the problem appeared more frequently. I also recommended using
PAM-Kerberos because they said it was better integrated with Windows.
Is "ntlm_auth" the best way to authenticate with Windows AD? We have several
domains to authenticate and need stability in case one of them does not
respond.
The problem is, you're being way too vague and imprecise.
If you can describe the problem you're having, in correct terminology,
people might be able to make a suggestion. Be specific, about the
issues, the architecture you have, what you're trying to achieve, and so on.
From what you've described so far, it sounds like you are losing
connectivity to one or more AD controllers, which is causing PAM to hang
(waiting for a Kerberos reply) or Samba/ntlm_auth to hang (waiting for
an RPC reply).
It should be obvious what the solution is - reliable connectivity to a
reliable AD controller.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
