Discarding Duplicate Request

Sat Oct 4 10:45:29 CEST 2014

Thanks John and all.

Just a one question though. I installed new freeradius server (all testing
purpose) with new samba 3.6.9. I did not have to start smb -nmb daemon.
just started winbind and it all worked.  This probably normal?

in my production environment, i have samba, winbind and nmb is running
where lower version of samba is installed.

On Fri, Oct 3, 2014 at 1:53 PM, John Douglass <john.douglass at oit.gatech.edu>
wrote:

>  You have to be using Samba 3.6+ or higher.
>
> - JohnD
>
>
> On 10/02/2014 08:12 PM, Rando Nakarmi wrote:
>
> when I set winbind max domain connections = 12
>
> I get following message
>
> Ignoring unknown parameter "winbind max domain connections"
>
> On Thu, Oct 2, 2014 at 4:56 PM, John Douglass <
> john.douglass at oit.gatech.edu> wrote:
>
>>
>> On 10/02/2014 12:35 PM, Rando Nakarmi wrote:
>>
>> Hello John,
>>
>>  Thanks
>>
>>  you increased max_request = 16384 (so you have only 64 clients ?)
>>
>>
>>  That was a cut/paste from Phil Huxley who responded to my question. I'm
>> still figuring out how to optimize. I can say that the max domain
>> connections helped A LOT. However, the faster you churn, the more you might
>> hit the Cisco WLC bug. We've seen _less_ but we've added radius servers and
>> moved some controllers to their own radius server pairs. I hate adding
>> radius servers as I feel it masks the real problem and it doesn't solve
>> peak (change of classes) issues.
>>
>>  you set winbind max domain connections = 12 (how do I know which value
>> is right ) (we have around 300 clients (WAPs)
>>
>>  It's really mainly about handling peak connections. With 300 WAPs you
>> probably won't go that high. I have about 500 aps/controller but we have
>> 30k users online at once spread across maybe 20 controllers with multiple
>> controllers on each radius server.
>>
>> Actually I increased winbind max domain connections to 128. The way I
>> kind of felt that out was to (on the linux/unix server)
>>
>> lsof | grep winbind | grep TCP
>>
>> You can see the number of TCP connections to the AD server. We were
>> hitting or initial limit of 50 during peak times. I just increased it to a
>> high enough number so that I probably won't reach it. The number of
>> connections goes up and down. On a radius failover we might be generating a
>> lot of connections but they eventually close and die off.
>>
>>
>>  so I set the max_request= 300*256 (I use 256 the value which is in the
>> radious.conf file)
>>
>>  winbind max clients = 1200 ( has anybody used this parameter ? is this
>> mean how many winbind client can connect to AD ?
>>
>>
>>  I'm actually not 100% sure on that stat/setting. :) I don't think I
>> really care about it enough. No really sure how to determine this one. The
>> documentation isn't really pointing out what that means (on samba.org)
>>
>>
>>  --cheers
>> Rando
>>
>>
>>
>> On Thu, Oct 2, 2014 at 3:27 PM, John Douglass <
>> john.douglass at oit.gatech.edu> wrote:
>>
>>>  :) Rando,
>>>
>>> There has been much discussion on this list about that problem. IF you
>>> are using Cisco WLC, there is a flaw in the way radius is processed which
>>> could lead to these log messages. Here is the previous set of threads that
>>> have some pointers as to what to look at.
>>>
>>> Cisco WLCs use the same source port and the 8-bit ID that is used to
>>> track radius conversations during peak times, gets cycled so fast that it
>>> creates duplicates where there really shouldn't be. We are pushing Cisco
>>> hard to fix this flaw in their design especially since they are creating
>>> controllers with more and more capacity. The problem is only going to get
>>> worse.
>>>
>>> I highly suggest you move to radius 2.2.5 and enable the ntlm_auth
>>> timeout and upgrade your samba to 3.6 where you can add some additional
>>> parameters. Here are some hints that Phil Huxley shared with us that have
>>> been helpful in making our services better. The issues haven't been handled
>>> 100%, and there are other things to consider like if using a Cisco WLC,
>>> enabling client exclusion, etc, etc but I don't have a ton of info on that
>>> as I just run the radius servers.
>>>
>>>
>>> http://lists.freeradius.org/pipermail/freeradius-users/2014-September/073929.html
>>>
>>> - John Douglass @ Georgia Tech
>>>
>>> PS: I really need to write up a blog post about this :)
>>> PSS: Yes we know AD is slow and it sucks as a backend but for a lot of
>>> us, it's what we have to deal with :)
>>>
>>>
>>>
>>> On 10/02/2014 11:10 AM, Rando Nakarmi wrote:
>>>
>>>   I been seeing quite a large number of message like below logged in
>>> radius.log lately.
>>>
>>>  Discarding duplicate request from client classroom98 port 32880 - ID:
>>> 131 due to unfinished request 241848
>>>
>>>  I read some thread, this might be the case when back-end server (i.e
>>> auth servers) are too slow to respond.
>>>
>>>  My back-end is AD, using ntlm_auth.
>>> radius version 2.1.12-4
>>> samba version 3.5.8-68
>>>
>>>  Any hints or suggestion how to resolve this would be very helpful.
>>>
>>>  Most of the users get authenticated ( I don't think ntlm_auth is
>>> responding slow), I could not figure this out
>>>
>>>  --cheers,
>>> Rando
>>>
>>>
>>>   -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141004/f8486317/attachment-0001.html>