Running ntlm_auth as a connection pool

Arnab Roy arnabroy at mail.com
Mon Sep 4 17:38:02 CEST 2017


   Hi Alan,

   Thanks for that, so the way I have got it work with NTLM_AUTH is by
   executing it like so :

   export WINBINDD_SOCKET=/var/cache/samba/domain &&
   /usr/local/samba/bin/ntlm_auth
   --configfile=/etc/samba/domainsmb.conf ........

   How can I pass a similar variable to the mschap module in FR so that it
   can pass it to samba, I am assuming this is not possible without any
   changes to FR code?

   Many Thanks
   Arnab

   Sent: Sunday, September 03, 2017 at 11:22 PM
   From: "Alan DeKok" <aland at deployingradius.com>
   To: "FreeRadius users mailing list"
   <freeradius-users at lists.freeradius.org>
   Subject: Re: Running ntlm_auth as a connection pool
   On Sep 3, 2017, at 5:22 PM, Arnab Roy <arnabroy at mail.com> wrote:
   > So I took things apart today. I switched to using direct winbind on a
   > test machine ...what a difference in performance you can't even
   compare
   > the two method's performance.
   That's to be expected.
   > To check where such high cost of performance comes from I replaced
   ntlm
   > auth with a simple shell script which just echoed back the NT key and
   > another one directly calling the NTLM_AUTH and the results where
   same.
   > So it seems like the cost of calling an external binary from inside
   the
   > server is extremely high.
   It's always expensive to create sub-processes. Especially if the server
   is trying to do 1000's of authentications per second.
   > So I went back to the friendly folks at samba and they kindly pointed
   > me to the section of the code responsible for obtaining the winbindd
   > path. I managed to recompile ntlm_auth and it works but it's
   pointless.
   Why?
   > The file in question in samba is under nsswitch/wb_common.c
   > My question is does freeradius use the same code as samba for the
   > client side communication.
   FreeRADIUS uses the Samba libraries to talk to winbindd. If you
   recompile the Samba libraries, the server will use them.
   > Can it be tweaked and compiled to behave
   > similarly that would solve my problems for now.
   Just have it use the recompiled Samba libraries.
   Alan DeKok.
   -
   List info/subscribe/unsubscribe? See
   [1]http://www.freeradius.org/list/users.html

References

   1. http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list