Instrumentation for monitoring ntlm_auths against domain controllers

[Matthew Newton]

On Wed, Oct 19, 2016 at 12:49:44PM +0100, Paul Seward wrote:
> What I'd like to do, is put some instrumentation in place that would allow
> our monitoring server to fire ntlm_auth's at a specified domain controller
> (rather than whichever one winbind happens to have connected to) so that we
> can monitor latency to all of them, and use the resulting graphs to
> pinpoint any that are under performing.
> 
> I can't see an obvious way to make that happen, so if anyone has any
> pointers we'd really appreciate it!

I don't remember seeing anything like that when working on that
code.

You can tell winbind which DC to talk to, but that's not going to
help much. The auth functions don't let you know which DC was
used. Bumping up winbind logging level might give you something,
but they get very verbose so you'd probably want to write to
ramdisk so save IO and then scrape info from there. But on log
levels 9 or 10 or so it gets pretty detailed.

You might be able to find which DC is being used, and an
indicative latency, by writing a small program to call wbcPingDc2
and note the time taken to respond and which DC was used. Log this
once a minute might help, as I don't think winbind generally moves
to a different DC without good reason (and the old versions were
notoriously bad at moving to a different DC even when it needed
to), so may give some good telemetry.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>